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DEPARTMENT OF EDUCATION 

34 CFR Part 99 
RIN 1 855-AA05 

[Docket ID ED-2008-OPEPD-0002] 

Family Educational Rights and Privacy 

AGENCY: Office of Planning, Evaluation, 
and Policy Development, Department of 
Education. 

ACTION: Final regulations. 

SUMMARY: The Secretary amends our 
regulations implementing the Family 
Educational Rights and Privacy Act 
(FERPA), which is section 444 of the 
General Education Provisions Act. 

These amendments are needed to 
implement a provision of the USA 
Patriot Act and the Campus Sex Crimes 
Prevention Act, which added new 
excepti ons permi tti ng the di scl osure of 
personally identifiable information from 
education records without consent. The 
amendments also implement two U.S. 
Supreme Court decisi ons i nterpreti ng 
FERPA, and make necessary changes 
identified as a result of the Department's 
experience administering FERPA and 
the current regulations. 

These changes clarify permissible 
d i scl osu res to parents of el i gi bl e 
students and conditions that apply to 
disclosures in health and safety 
emergencies; clarify permissible 
disclosures of student identifiers as 
directory information; allow disclosures 
to contractors and other outside parties 
in connection with the outsourcing of 
institutional services and functions; 
revi se the defi ni ti ons of attendance, 
disclosure, education records, 
personally identifiable information, and 
other key terms; clarify permissible 
redisclosures by State and Federal 
officials; and update investigation and 
enforcement provisions. 

DATES: These regulations are effective 
January 8, 2009. 

FOR FURTHER INFORMATION CONTACT: 

Frances Moran, U.S. Department of 
Education, 400 Maryland Avenue, SW„ 
room 6W243, Washington, DC 20202- 
8250. Telephone: (202) 260-3887. 

If you use a telecommunications 
device for the deaf (TDD), you may call 
the Federal Relay Service (FRS) at 1- 
800-877-8339. 

Individuals with disabilities may 
obtain this document in an alternative 
format(e.g., Braille, large print, 
audiotape, or computer diskette) on 
request to the contact person I isted 
under FOR FURTHER INFORMATION 
CONTACT. 

SUPPLEMENTARY INFORMATION: On March 
24, 2008, the U .S. Department of 



Education (the Department or we) 
published a notice of proposed 
rulemaking (NPRM) in theFederal 
Register (73 FR 15574). In the preamble 
to the NPRM, the Secretary discussed 
the major changes proposed in that 
document that are necessary to 
implement statutory changes made to 
FERPA, to implementtwo U.S. Supreme 
Court decisions, to respond to changes 
in information technology, and to 
address other issues identified through 
the Department's experi ence i n 
administering FERPA. 

We believe that the regulatory 
changes adopted in these final 
regulations provide clarification on 
many important issues that have arisen 
over time with regard to how FERPA 
affects decisions that school officials 
have to make on an everyday basis. 
Educational agencies and institutions 
face consi derabl e chal I enges, especi al I y 
with regard to maintaining safe 
campuses, protecting personally 
identifiable information in students' 
education records, and responding to 
requests for data on student progress. 
These final regulations, as well as the 
discussion on various provisions in the 
preamble, will assist school officials in 
ad dressing these chal I enges in a manner 
that complies with FERPA and protects 
the privacy of students' education 
records. 

Notice of Proposed Rulemaking 

In the NPRM, we proposed 
regulations to implement section 507 of 
the USA Patriot Act (Pub. L. 107-56), 
enacted October 26, 2001, and the 
Campus Sex Crimes Prevention Act, 
section 1601(d) of the Victims of 
Trafficking and Violence Protection Act 
of 2000 (Pub. L. 106-386), enacted 
October 28, 2000. Other major changes 
proposed in the NPRM included the 
following: 

• Amending § 99.5 to clarify the 
conditions under which an educational 
agency or institution may disclose 
personally identifiable information from 
an eligible student's education records 
to a parent without the prior written 
consent of the el i gi bl e student; 

• Amending § 99.31(a)(1) to authorize 
the disclosure of education records 
without consent to contractors, 
consultants, volunteers, and other 
outside parties to whom an educational 
agency or institution has outsourced 
institutional services or functions; 

• Amending § 99.31(a)(1) to ensure 
that teachers and other school officials 
only gain access to education records in 
which they have legitimate educational 

i nterests; 

• Amending § 99.31(a)(2) to permit 
educational agencies and institutions to 



disclose education records, without 
consent, to another institution even after 
the student has enrol led or transferred 
so long as the disclosure is for purposes 
related to the student's enrol I mentor 
transfer; 

• Amending § 99.31(a)(6) to require 
that an educational agency or institution 
may disclose personally identifiable 
information under this section only if it 
enters i nto a written agreement with the 
organization specifying the purposes of 
the study and the use and destruction of 
the data; 

• Amending § 99.31 to includea new 
subsection to provide standards for the 
rel ease of i nformati on from educati on 
records that has been de-identified; 

• Amending § 99.35 to permit State 
and local educational authorities and 
Federal officials listed in § 99.31(a)(3) to 
make further disclosures of personally 
identifiable information from education 
records on behalf of the educational 
agency or institution; and 

• Amending § 99.36 to remove the 
language requiring strict construction of 
this exception and add a provision 
stating that if an educational agency or 
institution determi nes that there is an 
arti cu I abl e and si gn i f i cant th reat to the 
health or safety of a student or other 
individual, it may disclose the 
information to any person, including 
parents, whose knowledge of the 
information is necessary to protect the 
health or safety of the student or other 
individuals. 

Significant Changes From the NPRM 

These final regulations contain 
several significant changes from the 
NPRM as follows: 

• Amending the definition of 
personally identifiable information in 
§ 99.3 to provide a definition of 
biometric record; 

• Removing the proposed definition 
of State auditor in § 99.3 and provisions 
in § 99.35(a)(3) related to State auditors 
and audits; 

• Revising § 99.31(a)(6) to clarify the 
specific types of information that must 
be contained in the written agreement 
between an educational agency or 
institution and an organization 
conducti ng a study for the agency or 
institution; 

• Removi ng the statement from 
§ 99.31(a)(16) that FERPA does not 
require or encourage agencies or 
institutions to collector mai ntain 
information concerning registered sex 
offenders; 

• Requiring a State or local 
educational authority or Federal official 
or agency that rediscloses personally 
identifiable information from education 
records to record that disclosure if the 
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educational agency or institution does 
not do so under § 99.32(b); and 

• Revi si ng§ 99.32(b) to require an 
educational agency or institution that 
makes a disclosure in a health or safety 
emergency to record information 
concerni ng the ci rcumstances of the 
emergency. 

These changes are explained in 
greater detai I i n the fol I ow i ng A nal ysi s 
of Comments and Changes. 

Analysis of Comments and Changes 

I n response to the Secretary's 
invitation in the NPRM, 121 parties 
submitted comments on the proposed 
regulations. An analysis of the 
comments and of the changes i n the 
regulations since publication of the 
NPRM follows. 

Wegroup major issues according to 
subject, with applicable sections of the 
regulations referenced in parentheses. 
We discuss other substantive issues 
underthesectionsoftheregulationsto 
which they pertain. Generally, we do 
not address technical and other minor 
changes, or suggested changes that the 
law does not authorize the Secretary to 
make. We also do not address comments 
pertai n i n g to i ssu es th at were n ot w i th i n 
the scope of the NPRM. 

Definitions (§ 99.3) 

(a) Attendance 

Comment: We received no comments 
objecti ng to the proposed changes to the 
definition of the term attendance. Three 
commenters expressed support for the 
changes because the availability and use 
of alternative instructional formats are 
not clearly addressed by the current 
regulations. One commenter suggested 
that the definition could avoid 
obsol escence by referri ng to the recei pt 
of instruction leading to a diploma or 
certif i cate i nstead of I i sti ng the types of 
instructional formats. 

Discussion: We proposed to revise the 
definition of attendance because we 
received inquiries from some 
educational agencies and institutions 
asking whether FERPA was applicable 
to the records of students recei vi ng 
instruction through the use of new 
technology methods that do not require 
a physical presence in a classroom. 
Because the definition of attendance is 
key to determi ni ng when an 
individual's records at a school are 
education records protected by FERPA, 
it is essential that schools and 
institutions understand the scope of the 
term. T o prevent the regulations from 
becomi ng out of date as new formats 
and methods are developed, the 
defi nition provi des that attendance may 
also include "other electronic 



information and telecommunications 
technologies." 

While most schools are aware of the 
various formats distance learning may 
take, we bel i eve i t i s i nformati ve to I i st 
the different communications media 
that are currently used. Also, we believe 
that parents, eligible students, and other 
individuals and organizations that use 
the FERPA regulations may find the 
I i sti ng of formats usefu I . 

We do not agree that the defi nition of 
attendance should be limited to receipt 
of instruction leading to a diploma or 
certificate, because this would 
improperly exclude many instructional 
formats. 

Changes: None. 

(b) Directory Information (§§ 99.3 and 
99.37) 

(1) Definition (§ 99.3) 

Comment: We received a number of 
comments on our proposal to revise the 
definition of directory information to 
provide that an educational agency or 
institution may not designate as 
directory information a student's social 
security number (SSN) or other student 
identification (ID) number. The 
proposed definition also provided that a 
student's user ID or other unique 
i denti fi er used by the student to access 
or communicate in electronic systems 
could be considered directory 
information but only if the electronic 
identifier cannot be used to gai n access 
to education records except when used 
in conjunction with one or more factors 
that authenticate the student's identity. 

All commenters agreed that student 
SSNs should not be disclosed as 
directory information. Several 
commenters strongly supported the 
definition of directory information as 
proposed, noting that failure to curtail 
the use of SSNs and student I D numbers 
as d i rectory i nformati on cou I d faci I i tate 
identity theft and other fraudulent 
activities. 

One commenter said that the 
proposed regulations did not go far 
enough to prohibit the use of students' 
SSNs as a student ID number, placing 
SSN son academic transcripts, and 
using SSNs to search an electronic 
database. Another commenter expressed 
concern that the proposed regulations 
could prohibit reporting needed to 
enforce students' financial obligations 
and other routine business practices. 
According to this commenter, 
restrictions on the use of SSNs in 
FERPA and elsewhere demonstrate the 
need for a single student identifier that 
can be tied to the SSN and other 
identifying information to use for grade 
transcri pts, en rol I ment veri f i cati on , 



default prevention, and other activities 
that depend on sharing student 
information. Another commenter stated 
that institutions should not be allowed 
to penalize students who opt out of 
directory information disclosures by 
denyi ng them access to benefits, 
services, and required activities. 

Several commenters said that the 
definition in the proposed regulations 
was confusi ng and unnecessari ly 
restri cti ve because it treats a student I D 
number as the functional equivalent of 
an SSN. They explained that when 
providing access to records and 
services, many institutions no longer 
use an SSN or other single identifier 
that both identifies and authenticates 
identity. As a result, at many 
institutions, the condition specified in 
theregulationsfortreatingelectronic 
identifiers as directory information, i.e., 
that the identifier cannot be used to gain 
access to education records except when 
used in conjunction with one or more 
factors that authenticate the user's 
identity, often applies to student ID 
numbers as wel I because they cannot be 
used to gain access to education records 
without a personal identification 
number (PIN), password, or some other 
factor to authenticate the user's identity. 
Some commenters suggested that our 
nomenclature is the problem and that 
regardless of what it is called, an 
identifier that does not al low access to 
education records without the use of 
authentication factors should be treated 
as directory information. According to 
one commenter, allowing institutions to 
treat student I D numbers as di rectory 
information in these circumstances 
would improve business practices and 
enhance student privacy by encouragi ng 
institutions to require additional 
authentication factors when using 
student ID numbers to provide access to 
education records. 

One commenter strongly opposed 
allowing institutions to treat a student's 
electronic identifier as directory 
information if the identifier could be 
made avail able to parties outside the 
school system. This commenter noted 
that electronic identifiers may act as a 
key, offeri ng d i rect access to the 
student's entire file, and thatPINsand 
passwords alone do not provide 
adequate security for education records. 
Another commenter said that if 
electronic identifiers and ID numbers 
can be released as directory information, 
then password requirements need to be 
more stri ngent to guard agai nst 
unauthorized access to information and 
identity theft. 

Some commenters recommended 
establ i sh i ng categori es of d i rectory 
information, with certain information 
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made available only within the 
educational community. One 
commenter expressed concern about 
I nternet safety because the regu I ati ons 
allow publication of a student's e-mail 
address. Another said that FERPA 
should not prevent institutions from 
printing the student's ID number on an 
ID card or otherwise restrict its use on 
campus but that publication in a 
directory should not be allowed. 

T wo commenters asked the 
Department to conf i rm that the 
regulations allow institutions to post 
grades using a code known only by the 
teacher and the student. 

Discussion: We share commenters' 
concerns about the use of students' 
SSNs. In general, however, there is no 
statutory authority under FERPA to 
prohibit an educational agency or 
institution from using SSNs as a student 
ID number, on academic transcripts, or 
to search an electronic database so long 
as the agency or institution does not 
disclose the SSN in violation of FERPA 
requirements. As discussed elsewhere 
in this preamble, FERPA does prohibit 
using a student's SSN, without consent, 
to search records in order to confirm 
directory information. 

Some States prohibit the use of SSNs 
as a student ID number, and some 
institutions have voluntarily ceased 
using SSNs in this manner because of 
concerns about identity theft. Students 
are required to provide their SSNs in 
order to receive Federal financial aid, 
and the regulations do not prevent an 
agency or institution from using SSNs 
for this purpose. We note that FERPA 
does not address, and we do not bel ieve 
that there is statutory authority under 
FERPA to require, creation of a single 
student identifier to replace the SSN. In 
any case, the Department encourages 
educational agencies and institutions, as 
well as State educational authorities, to 
fol low best practices of the educational 
community with regard to protecting 
students' SSNs. 

We agree that students should not be 
penalized for opting out of directory 
information disclosures. Indeed, an 
educational agency or institution may 
not require parents and students to 
waive their rights under FERPA, 
i ncl udi ng the right to opt out of 
directory information disclosures. On 
the other hand, we do not i nterpret 
FERPA to require educational agencies 
and institutions to ensure that students 
can remain anonymous to others in the 
school community when using an 
i nsti tuti on 's el ectron i c commu n i cati ons 
systems. As a result, parents and 
students who opt out of di rectory 
information disclosures may not be able 
to use electronic communications 



systems that requ i re the rel ease of the 
student's name or electronic identifier 
within the school community. (As 
discussed later in this notice in our 
discussion of the comments on 
§ 99.37(c), the right to opt out of 
directory information disclosures may 
not be used to al I ow a student to remai n 
anonymous in class.) 

The regulations allow an educational 
agency or institution to designatea 
student's user ID or other electronic 
identifier as directory information if the 
i denti f i er f u ncti ons essenti al I y I i ke the 
student's name, and therefore, 
disclosure would not be considered 
harmful or an invasion of privacy. That 
is, the identifier cannot be used to gain 
access to education records except when 
combined with one or more factors that 
authenticate the student's identity. 

We have historically advised that 
student ID numbers may not be 
di scl osed as d i rectory i nformati on 
because they have traditionally been 
used like SSNs, i.e., as both an identifier 
and authenticator of identity. We agree, 
however, that the proposed definition 
was confusing and unnecessarily 
restri cti ve because i t fai I ed to recogn i ze 
that many institutions no longer use 
student ID numbers in this manner. If a 
student identifier cannot be used to 
access records or communicate 
electronically without one or more 
add i ti onal factors to authenti cate the 
user's identity, then the educational 
agency or institution may treat itas 
directory information under FERPA 
regardless of what the identifier is 
called. Wehave revised the definition of 
directory information to provide this 
flexibility. 

We share the commenters' concerns 
about the use of PI Ns and passwords. I n 
the preamble to the NPRM, we 
explained that PINs or passwords, and 
single-factor authentication of any kind, 
may not be reasonable for protecting 
access to certai n ki nds of i nformati on 
(73 FR 15585). We also recognize that 
user IDs and other electronic identifiers 
may provide greater access and I i nki ng 
to information than does a person's 
name. Therefore, we remind educational 
agenci es and i nsti tuti ons that d i scl ose 
student ID numbers, user IDs, and other 
electronic identifiers as directory 
i nformati on to exami ne thei r 
recordkeeping and data sharing 
practices and ensure that, when these 
identifiers are used, the methods they 
select for authenticating identity 
provide adequate protection agai nst the 
unauthorized disclosure of information 
in education records. 

We also share the concern of 
commenters who stated that students' 
e-mail addresses and other identifiers 



should be disclosed as directory 
information only within the school 
system and should not be made 
avail able outside the institution. The 
disclosure of directory information is 
permissive under FERPA, and, 
therefore, an agency or institution is not 
required to designate and disclose any 
student identifier (or any other item) as 
directory information. Further, while 
FERPA does not expressly recognize 
d i fferent I evel s or categori es of d i rectory 
information, an agency or institution is 
not required to make student directories 
and other directory information 
available to the general public just 
because the information is shared 
within the institution. For example, 
under FERPA, an institution may decide 
to make students' electronic identifiers 
and e-mail ad dresses avail able within 
the institution but not rel ease them to 
the general public as directory 
information. In fact, the preamble to the 
NPRM suggested that agencies and 
institutions should minimize the public 
rel ease of student di rectori es to mi ti gate 
the risk of re-identifying information 
that has been de-identified (73 FR 
15584). 

With regard to student ID numbers in 
particular, an agency or institution may 
print an ID number on a student's ID 
card whether or not the number is 
treated as directory information because 
under FERPA simply printing the ID 
number on a card, without more, is not 
a disclosure and, therefore, is not 
prohibited. See 20 U.S.C. 1232g(b)(2). If 
the student ID number is not designated 
as directory information, then the 
agency or institution may not disclose 
the card, or requ ire the student to 
disclose the card, except in accordance 
with one of the exceptions to the 
consent requirement, such as to school 
officials with legitimate educational 
interests. If the student ID number is 
designated as directory information in 
accordance with these regulations, then 
it may be disclosed. However, the 
agency or institution may still decide 
agai nst maki ng a directory of student I D 
numbers avail able to the general public. 

We discuss codes used by teachers to 
postgradesin our discussion of the 
definition of personally identifiable 
information elsewhere in this preamble. 

Changes: We have revised the 
definition of directory information in 
§ 99.3 to provide that directory 
information includes a student ID 
number if it cannot be used to gai n 
access to education records except when 
used with one or more other factors to 
authenti cate the user's identity. 
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(2) Conditions for Disclosing Directory 
Information 

(i) 99.37(b) 

Comment: All comments on this 
provision supported our proposal to 
clarify that an educational agency or 
institution must continue to honor a 
val i d request to opt out of d i rectory 
information disclosures even after the 
student no longer attends the 
institution. Onecommenter stated that 
the proposed regulations appropriately 
provided former students with the 
continuing ability to control the release 
of directory information and remarked 
that this will benefit students and 
fami I ies. One commenter asked how 
long an opt out from directory 
information disclosures must be 
honored. Another commenter said that 
students may object if their former 
schoolsdo not disclose directory 
information without their specific 
written consent because the school is 
unableto determine whether the 
student previously opted out. This 
could occur, for example, if a school 
declined to disclose that a student had 
received a degree to a prospective 
employer. 

Discussion: The regulations clarify 
that once a parent or el i gi ble student 
opts out of d i rectory i nformati on 
disclosures, the educational agency or 
institution must continue to honor that 
election after the student is no longer in 
attendance. Whilethis is nota new 
interpretation, school districts and 
postsecondary institutions have been 
unclear about its application and have 
not administered it consistently. The 
inclusion in the regulations of this 
longstanding interpretation is necessary 
to ensure that schools cl early 
understand their obligation to continue 
to honor a decision to opt out of the 
disclosure of directory information after 
a student stops attendi ng the school , 
until the parent or eligible student 
rescinds it. 

Educational agencies and institutions 
are not required under FERPA to 
disclose directory information to any 
party. Therefore, parents and students 
have no basis for objecti ng if an agency 
or institution does not disclose directory 
information because it is not certain 
whether the parent or student opted out. 
The regulations provide an educational 
agency or institution with the flexibility 
to determi ne the process it bel ieves is 
best suited to serve its population as 
long as it honors prior elections to opt 
out of d i rectory i nformati on d i scl osu res. 

Changes: None. 



(ii) § 99.37(c) 

Comment: We received two comments 
in support of our proposal to clarify in 
this section that parents and students 
may not use the right to opt out of 
directory information disclosures to 
prevent disclosure of the student's name 
or other identifier in the classroom. 

Discussion: We appreciate the 
commenters' support. 

Changes: None. 

(iii) § 99.37(d) 

Comment: T wo commenters 
supported the prohibition on using a 
student's SSN to disclose or confirm 
directory information unlessa parent or 
eligi blestudent provides written 
consent. One of these commenters 
questi oned the statutory basi s for this 
interpretation. 

Several commenters asked whether, 
under the proposed regulations, a 
school must deny a request for directory 
i nformati on if the requester suppl i es the 
student's SSN. One commenter asked 
whether a request for directory 
information that contains a student's 
SSN may be honored so long as the 
school does not use the SSN to locate 
the student's records. Onecommenter 
stated that the regulations could more 
effectively protect students' SSNs but 
was concerned that denyi ng a request 
for directory i nformati on that contai ns 
an SSN may inadvertently confirm the 
SSN. 

One commenter expressed concern 
that the prohibition on using a student's 
SSN to verify directory information 
would leave schools with large student 
populations unableto locate the 
appropriate record because they will 
need to rely solely on the student's 
name and other directory information, if 
any, provided by the requester, which 
may be duplicated in their databases. 
This commenter said that students 
would object if institutions were unable 
to respond quickly to requests by banks 
or landlords for confirmation of 
enrol I ment because the request 
contai ned the student's SSN . 

One commenter suggested that the 
regulations require an educational 
agency or institution to notify a 
requester that the release or 
confirmation of directory information 
does not confi rm the accuracy of the 
SSN or other non-directory information 
submitted with the request. Another 
commenter asked whether the 
regulations apply to confirmation of 
student enrol I ment and other directory 
information by outside service providers 
such as the National Student 
Clearinghouse. 

Discussion: The provision in the 
proposed regulations prohibiting an 



educational agency or institution from 
using a student's SSN when disclosing 
or verifying directory information is 
based on the statutory prohibition on 
disclosing personally identifiable 
information from education records 
without consent in 20U.S.C. 1232g(b). 
The prohibition applies also to any 
party outside the agency or institution 
providing degree, enrollment, or other 
confirmation services on behalf of an 
educational agency or institution, such 
as the Nati onal Student Cleari nghouse. 

A school is not required to deny a 
request for directory information about 
a student, such as confirmation whether 
a student is enrolled or has received a 
degree, if the requester suppl ies the 
student's SSN (or other non-directory 
information) along with the request. 
However, in releasing or confirming 
directory information about a student, 
the school may not use the student's 
SSN (or other non-directory 
information) supplied by the requester 
to identify the student or locate the 
student's records unless a parent or 
eligi ble student has provided written 
consent. This is because confirmation of 
information in education records is 
considered a disclosure under FERPA. 
See 20 U .S.C. 1232g(b). A school 's use 
of a student's SSN (or other non- 
directory information) provided by the 
requester to confi rm enrol I ment or other 
directory information implicitly 
confirms and, therefore, discloses, the 
student's SSN (or other non-directory 
information). This is true even if the 
requester also provides the school with 
the student's name, date of bi rth, or 
other d i rectory i nformati on to hel p 
identify the student. 

A school may choose to deny a 
request for directory information, 
whether or not it contains a student's 
SSN, because only a parent or eligible 
student has a rightto obtain education 
records under FERPA. Denial of a 
request for directory information that 
contains a student's SSN is not an 
i mpl i ci t confi rmati on or di scl osure of 
the SSN. 

These regulations will not adversely 
affect the ability of institutions to 
respond quickly to requests by parties 
such as banks and landlords for 
confi rmation of enrol I ment that contai n 
the student's SSN because students 
generally provide written consent for 
schools to disclose information to the 
inquiring party in order to obtain 
banking and housing services. We note, 
however, that if a school wishes to use 
the student's SSN to confirm enrol I ment 
or other directory i nformation about the 
student, it must ensure that the written 
consent provided by the student 
i ncl udes consent for the school to 
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disclose the student's SSN to the 
requester. 

There is no authority in FERPA to 
requi re a school to notify requesters that 
it is not confi rming the student's SSN 
(or other non-directory information) 
when itdiscloses or confirms directory 
information. However, when a party 
submits a student's SSN along with a 
request for directory information, in 
order to avoid confusion, unless a 
parent or eligible student has provided 
written consent for the di scl osure of the 
student's SSN, the school may indicate 
that it has not used the SSN (or other 
non-directory information) to locate the 
student's records and that its response 
may not and does not confi rm the 
accuracy of the SSN (or other non- 
di rectory information) supplied with the 
request. 

We recognize that with a large 
database of student i nformati on, there 
may be some loss of abi I ity to identify 
students who have common names if 
SSNs are not used to help identify the 
individual. However, schoolsthatdo 
not use SSNs supplied by a party 
requesting directory information, either 
because the student has not provided 
written consent or because the school is 
not certai n that the written consent 
i ncl udes consent for the school to 
disclose the student's SSN, generally 
may use the student's address, date of 
birth, school, class, year of graduation, 
and other directory information to 
identify the student or locate the 
student's records. 

Changes: None. 

(c) Disclosure (§ 99.3) 

Comment: Two commenters said that 
the proposal to revise the definition of 
disclosure to exclude the return of a 
document to its source was too broad 
and could lead to improper release of 
highly sensitive documents, such as an 
individualized education program (IEP) 
contai ned i n a student's sped al 
education records, to anyone cl aiming 
to be the creator of a record. One of the 
commenters stated that changi ng the 
definition was unnecessary, as schools 
al ready have a means of verifyi ng 
documents by requesting additional 
copies from the source. Both 
commenters also expressed concern 
that, because recordation is not 
required, a parent or eligible student 
will not be aware that the verification 
occurred. 

We also received comments of strong 
support for the proposed change to the 
definition of disclosure. The 
commenters stated that this change, 
targeted to permit the release of records 
back to the institution that presumably 
created them, will enhance an 



institution's ability to identify and 
investigate suspected fraudulent records 
in a timely manner. 

Discussion: For several years now, 
school officials have advised us that 
problems related to fraudulent records 
typically involve a transcript or letter of 
recommendation that has been altered 
by someone other than the responsible 
school official. Under the current 
regulations, an educational agency or 
institution may ask for a copy of a 
record from the presumed source when 
it suspects fraudulent activity. However, 
si mply asking for a copy of a record may 
not be adequate, for example, if the 
original record no longer exists at the 
sending institution. In these 
circumstances, an institution will need 
to return a record to its identified source 
to be able to verify its authenticity. The 
fi nal regu I ati ons permi t a targeted 
release of records back to the stated 
source for verification purposes in order 
to provide schools with the flexibility 
ne^Jed for this process while preserving 
a more general prohibition on the 
release of information from education 
records. 

We do not agree that the term 
disclosure as proposed intheNPRM is 
too broad and could lead to the 
i mproper rel ease of h i gh I y sen si ti ve 
documents to anyone claiming to be the 
creator of the record. School officials 
have not advised us that they have had 
problems receiving IEP records and 
other highly sensitive mated al s from 
parti eswhodid not in fact create or 
provide the record. Therefore, we do not 
believe that the proposed definition of 
disclosure is too broad. 

The commenters are correct that the 
return of an education record to its 
source does not have to be recorded, 
because it is not a disclosure. We do not 
consider this problematic, however, 
because the information is merely being 
returned to the party identified as its 
source. This is similar to the situation 
in which a school is not required under 
the regu I ati ons to record d i scl osu res of 
education records made to school 
off i c i al s w i th I egi ti mate ed u cati onal 
interests. As in that instance, there is no 
di rect notice to a parent or student of 
either the disclosure of the record or the 
information in the record. We also 
believe that if a questionable document 
is deemed to be inauthentic by the 
source, the student will be informed of 
the results of the authentication process 
by means other than seei ng a record of 
the disclosure in the student's file. 

There appears to be little value in 
notifying a parent or student that a 
document was suspected of bei ng 
fraudulent if the document is found to 
be genuine and accurate. 



Finally, we note that a transcript or 
other document does not lose its 
protection under FERPA, including the 
written consent requirements, when an 
educational agency or institution 
returns it to the source. The document 
and the information in it remains an 
"education record" under FERPA when 
it is returned to its source. As an 
education record, it may not be 
redisclosed except in accordance with 
FERPA requirements, including 
§ 99.31(a)(1), which allows the source 
institution to disclose the information to 
teachers and other school officials with 
legitimate educational interests, such as 
persons who need to verify the accuracy 
or authenticity of the information. If the 
source institution makes any further 
disclosures of the record or information, 
it must record them. 

Changes: None. 

Additional Changes to the Definition of 
Disclosure 

Comment: Several commenters 
requested additional changes to the 
definition of disclosure. Onecommenter 
requested that any transfer of education 
records to a State's longitudinal data 
system not be considered a disclosure. 
Several commenters requested that 
additional changes be made so that a 
school could provide current education 
records of students back to the students' 
former schools or districts. A 
commenter recommended excluding 
from the definition of disclosure 
stati sti cal i nformati on that i s personal I y 
identifiable because of small cell sizes 
when the recipient agrees to maintain 
the confidential ity of the information. 

Discussion: The revised definition of 
disclosure, which excludes the return of 
a document to its stated source, clarifies 
that information provided by school 
districts or postsecondary institutions to 
State educational authorities, including 
information maintained in a 
consol i dated student records system, 
may be provi ded back to the ori gi nal 
district or institution without consent. 
There is no statutory authority, 
however, to excl ude from the defi ni ti on 
of disclosure a school district's or 
institution's release or transfer of 
personally identifiable information from 
education records to its State 
longitudinal data system. (We discuss 
the disclosure of education records in 
connection with the development of 
consolidated, longitudinal data systems 
in our response to comments on 
rediscl osu re and recordkeeping 
requirements elsewhere in this 
preamble.) Likewise, there is no 
statutory authority to excl ude from the 
definition of disci osure the rel ease of 
personally identifiable information from 
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education records to parties that agree to 
keep the information confidential. (See 
our discussion of personally identifiable 
information and de-identified records 
and information elsewhere in this 
preamble.) 

The revised regulations do not 
authorize the disclosure of education 
records to third parties who are not 
identified as the provider or creator of 
the record. For example, a college may 
not send a student's current col lege 
records to a student's high school under 
the revised definition of disclosure 
because the h i gh school i s not the stated 
source of those records. (We discuss this 
issue elsewhere in the preamble under 
Disclosure of Education Records to 
Students' Former Schools.) 

Changes; None. 

(d) Education Records 
(1) Paragraph (b)(5) 

Comment: Several commenters 
supported our proposal to clarify the 
existing exclusion from the definition of 
education records for records that only 
contain information about an individual 
after he or she is no longer a student, 
which we referred to as "alumni 
records" in theNPRM, 73 FR 15576. 

One commenter suggested that the term 
"directly related," which is used in the 
amended definition in reference to a 
student's attendance, is inconsistent 
with the use of the term "personally 
identifiable" in other sections of the 
regulations and could cause confusion. 

One commenter asked whether a 
postsecondary school could providea 
student's education records from the 
postsecondary school to a secondary 
school that the student attended 
previously. 

Several commenters objected to the 
proposed regulations because, according 
to the commenters, the regulations 
would expand the records subject to 
FERPA's prohibition on disclosure of 
education records without consent. A 
journal ist stated that the settlement 
agreement cited in theNPRM is an 
example of a record that should be 
excluded from the definition and that 
schools al ready are permitted to protect 
too broad a range of documents from 
public review because the documents 
are education records. The commenter 
stated that information from education 
records such as a settlement agreement 
is newsworthy, unlikely to contain 
confidential information, and that 
disclosure of such information provides 
a benefit to the public. Another 
commenter expressed concern that the 
regulations allow schools to collect 
negative information about a former 
student without giving the individual an 



opportunity to challenge the content 
because the information is not an 
education record under FERPA. 

Discussion: It has long been the 
Department's interpretation that records 
created or received by an educational 
agency or institution on a former 
student that are di recti y rel ated to the 
individual 's attendance as a student are 
not excluded from the definition of 
education records under FERPA, and 
that records created or received on a 
former student that are not di recti y 
related to the i ndividual 's attendance as 
a student are excluded from the 
definition and, therefore, are not 
"education records." The proposed 
regulations in paragraph (b)(5) were 
intended to clarify the use of this 
exclusion, not to change or expand its 
scope. 

Our use of the phrase "directly related 
to the individual 's attendance as a 
student" to descri be records that do not 
fall under this exclusion from the 
definition of education records is not 
inconsistent with the term "personally 
identifiable" as used in other parts of 
the regulations and should not be 
confused. The term "personally 
identifiable information" is used in the 
statute and regulations to descri be the 
kind of information from education 
records that may not be di sc I osed 
without consent. See20U.S.C. 1232g(b); 
34CFR 99.3, 99.30. Whi le "personal ly 
identifiable information" maintained by 
an agency or institution isgenerally 
considered an "education record" under 
FERPA, personally identifiable 
information does not fall under this 
exclusion from the definition of 
education records if the information is 
not directly related to the student's 
attendance as a student. For example, 
personally identifiable information 
related solely to a student's activities as 
an alumnus of an institution is excluded 
from the definition of education records 
under this provision. We think that the 
term "d i recti y rel ated " i s cl ear i n th i s 
context and will not be confused with 
"personally identifiable." 

A postsecondary institution may not 
disclose a student's postsecondary 
education records to the secondary 
school previously attended by the 
student under this provision because 
these records are directly related to the 
student's attendance as a student at the 
postsecondary institution. (We discuss 
this issuefurther under Disclosure of 
Education Records to Students' Former 
Schools.) 

We do not agree that documents such 
as settl ement agreements are u n I i kel y to 
contain confidential information. Our 
experience has been that these 
documents often contain highly 



confidential information, such as 
special education diagnoses, 
educational supports, or mental or 
physical health and treatment 
information. Our changes to the 
definition were intended to clarify that 
schools may not disclose this 
information to the media or other 
parties, without consent, simply 
because a student i s no I onger i n 
attendance at the school at the ti me the 
record was created or received. A parent 
or eligi ble student who wishes to share 
the student's own records with the 
media or other parties is free to do so. 

Neither FERPA nor the regulations 
contains a provision for a parent or 
eligi ble student to challenge information 
that is not contained in an education 
record. FERPA does not prohibit a 
parent or student from using other 
venues to seek redress for collection and 
rel ease of i nformati on in non-education 
records. 

Changes: None. 

(2) Paragraph (b)(6) 

Comment: We received several 
comments supporting the proposed 
changes to the definition of education 
records that would exclude from the 
definition grades on peer-graded papers 
before they are collected and recorded 
by a teacher. These commenters 
expressed appreciation that this revision 
would be consistent with theU.S. 
Supreme Court's decision on peer- 
graded papers in Owasso Independent 
School Dist. No. 1-011 v. Falvo, 534 U.S. 
426 (2002) (Owasso). Two commenters 
asked how the provision would be 
applied to the use of group projects and 
group grading within the classroom. 

Discussion: The proposed changes to 
the definition of education records in 
paragraph (b)(6) are designed to 
implement theU.S. Supreme Court's 
2002 decision in Owasso, which held 
that peer gradi ng does not violate 
FERPA. As noted in theNPRM, 73 FR 
15576, the Court held in Owasso that 
peer grading does not violate FERPA 
because "the grades on students' papers 
would not be covered under FERPA at 
least until the teacher has collected 
them and recorded them in his or her 
grade book." 534 U.S. at 436. 

As suggested by the Supreme Count 
in Owasso, 534 U.S. at 435, FERPA is 
not intended to interfere with a 
teacher's abi I ity to carry out customary 
practices, such as group gradi ng of team 
assi gn men ts w i th i n th e c I assroom . J u st 
as FERPA does not prevent teachers 
from al lowi ng students to grade a test or 
homework assignment of another 
student or from cal I i ng out that grade i n 
class, even though the grade may 
eventually become an education record, 
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FERPA does not prohibitthediscussion 
of group or individual grades on 
classroom group projects, so long as 
those individual grades have not yet 
been recorded by the teacher. The 
process of assigning grades or grading 
papers fallsoutside the definition of 
education records in FERPA because the 
grades are not "mai ntained" by an 
educational agency or institution at least 
until the teacher has recorded the 
grades. 

Changes: None. 

(e) Personally Identifiable Information 

Comments on the proposed definition 
of personally identifiable information 
arediscussed elsewhere in this 
preamble under the heading Personally 
Identifiable Information and De- 
identified Records and Information. 

(f) State Auditors and Audits (§§ 99.3 
and Proposed 99.35(a)(3)) 

Comment: Several commenters 
supported the clarification in proposed 
§ 99.35(a)(3) that State auditors may 
have access to education records, 
without consent, in connection with an 
"audit" of Federal or State supported 
education programs under the exception 
to the written consent requi rement for 
authorized representatives of "State and 
local educational authorities." All but 
one of the commenters, however, 
disagreed strongly with the proposed 
definition of audit in § 99.35(a)(3), 
which waslimited to testing compliance 
with applicable laws, regulations, and 
standards and did not include the 
broader concept of eval uations. 

In general, the commenters said that 
the proposed definition of audit was too 
narrow and would prevent State 
auditors from conducting performance 
audits and other services that they 
routinely provide in accordance with 
professional auditing standards, 
including theU.S. Comptroller's 
Government Auditing Standards. See 
www.gao.gov/govaud/ybk01.htm. A 
State legislative auditor noted, for 
example, that 45 State legislatures have 
established legislative program 
evaluation offices whose express 
purpose is to provide research and 
evaluation for legislative decision 
making, and that these offices regularly 
use personally identifiable information 
from education records for their work. 
Some of the commenters also 
questioned whether financial audits and 
attestation engagements would be 
excluded under the proposed definition. 

One commenter said that the State 
auditor provisions in proposed §§ 99.3 
and 99.35(a)(3) should be expanded to 
apply to other non-education State 
officials responsible for evaluating 



publicly funded programs. Another 
commenter recommended that the 
regulations include examination of 
education records by health department 
officials to improve compliance with 
mandated immunization schedules. 

The majority of the comments we 
received with respect to the inclusion of 
local auditors in the proposed definition 
of State auditor in § 99.3 supported 
permitting local auditors to have access 
to personally identifiable information 
for purposes of auditing Federal or State 
supported education programs. One 
commenter said that local auditors 
should not be included in the 
definition, while another commenter 
stated that auditors for the city health 
department need access to FERPA - 
protected information to determine the 
accuracy of clai ms for payment and 
asked for further clarification on the 
issue. 

Discussion: Weexplained in the 
preambleto the NPRM that the statute 
allows disclosure of personally 
identifiable information from education 
records without consent to authorized 
representatives of "State educational 
authorities" in connection with an audit 
or evaluation of Federal or State 
supported education programs. 73 FR 
15577. Legislative history indicates that 
Congress amended the statute in 1979 to 
"correct an anomaly" in which the 
existing exception to the consent 
requirement in 20 U.S.C. 1232g(b)(3) 
was i nterpreted to preclude State 
auditors from obtaining access to 
education records for audit purposes. 
See H.R. Rep. No. 338, 96th Cong., 1st 
Sess. at 10 (1979), reprinted in 1979 U.S. 
Code Cong. & Admin. News 819, 824. 
However, because the amended 
statutory language in 20 U.S.C. 
1232g(b)(5) refers only to "State and 
local educational officials," the 
proposed regulations sought to clarify 
that this included "State auditors" or 
auditors with authority and 
responsibility under State law for 
conducting audits. Due to the breadth of 
this inclusion, however, the proposed 
regu I ati ons al so sought to I i mi t access to 
education records by State auditors by 
narrowing the definition of audit. 

The Secretary has careful ly reviewed 
the comments and, based upon further 
intradepartmental review, has decided 
to remove from the final regulations the 
provisions related to State auditors and 
audits in §§ 99.3 and 99.35(a)(3). We 
share the commenters' concerns about 
preventi ng State aud i tors from 
conducti ng acti vi ti es that they routi nel y 
perform under applicable auditing 
standards. However, because our focus 
was on the narrow definition of audit, 
we proposed a very broad definition of 



State auditor in § 99.3 and did not 
examine which of the various types of 
officials, offices, committees, and staff 
in executive and legislative branches of 
State government should beincluded in 
the definition. We are concerned that 
without the narrow definition of audit 
as proposed in § 99.35(a)(3), the 
proposed definition of State auditor 
may allow non-consensual disclosures 
of education records to a variety of 
officials for purposes not supported by 
the statute. The Department will study 
the matter further and may issue new 
regulations or guidance, as appropriate. 
In the interim, the Department will 
provide guidance on a case-by-case 
basi s. 

Changes: We are not including the 
definition of State auditor in § 99.3 and 
the provisions related to State auditors 
and audits in § 99.35(a)(3) in these final 
regulations. 

Disclosures to Parents (§§ 99.5 and 
99.36) 

Comment: A majority of commenters 
approved of the Secretary's efforts to 
clarify that, even after a student has 
become an eligible student, an 
educational agency or institution may 
disclose education records to the 
student's parents, without the consent 
of the student, if certain conditions are 
met. Those commenters stated that the 
clarification was especially helpful, 
particularly in light of issues that arose 
after the A pri I 2007 shooti ngs at the 
Virginia Polytechnic Institute and State 
University (VirginiaTech). A 
commenter stated that the cl ari fi cati on 
will assist emergency management 
officials on col lege and university 
campuses and help school officials 
know when they can properly share 
student information with parents and 
students. One commenter expressed 
support for the proposed regulations, 
because it has been her experience that 
col leges do not share information with 
parents on their children'sfinancial aid 
or academic status. 

Some commenters disagreed with the 
proposed changes. One stated that, due 
to varying family dynamics, disclosures 
should not be limited only to parents, 
but should also include other 
appropriate family members. Another 
commenter objected to the phrase in 
§ 99.5(a)(2) that would permit disclosure 
to a parent without the student's 
consent if the disclosure meets "any 
other provision in § 99.31(a)." The 
commenter stated that this "catch-al I 
phrase" exceeded statutory authority. 

Noting the sensitivity of financial 
information included in income tax 
returns, a few commenters raised 
concerns about the discussion in the 
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NPRM in which we explained that an 
institution can determine that a parent 
claimed a student as a dependent by 
asking the parent to supply a copy of the 
parent's most recent Federal tax return. 
Another commenter stated that the 
NPRM did not go far enough and 
recommended specifically requiring an 
institution to rely on a copy of a parent's 
most recent Federal tax return to 
determi ne a student's dependent status, 
whi le another commenter recommended 
that we change the regulations to 
indicate that only the parent who has 
claimed the student as a dependent may 
have access to the student's educati on 
records. 

A commenter noted that some States 
have high school students who are 
concurrently enrolled in secondary 
school sand postsecondary institutions 
as early as ninth grade and supported 
the clarification that postsecondary 
institutions may disclose information to 
parents of students who are tax 
dependents. 

Discussion: Parents' rights under 
FERPA transfer to a student when the 
student reaches age 18 or enters a 
postsecondary institution. 20 U.S.C. 
1232g(d). Flowever, under § 99.31(a)(8), 
an educational agency or institution 
may disclose education records to an 
eligi ble student's parents if the student 
is a dependent as defined in section 152 
of the Internal Revenue Code of 1986. 
Under § 99.31(a)(8), neither the age of a 
student nor the parent's status as 
custodial parent is relevant to the 
determination whether disclosure of 
information from an eligi ble student's 
education records to that parent without 
written consent is permissible under 
FERPA. If a student is claimed as a 
dependent for Federal income tax 
purposes by either parent, then under 
the regulations, either parent may have 
access to the student's education 
records without the student's consent. 

The statutory exception to the consent 
requirement in FERPA for the disclosure 
of records of dependent students appl i es 
only to the parents of the student. 20 
U.S.C. 1232g(b)(l)(H ). Accordingly, the 
Secretary does not have statutory 
authority to apply § 99.31(a)(8) to any 
other family members. Flowever, under 
§ 99.30(b)(3), an eligi ble student may 
provi de consent for the school to 
disclose information from his or her 
education records to another family 
member. In some situations, such as 
when there is no parent in the student's 
life or the student is married, a spouse 
or other fami ly member may be 
considered an appropriate party to 
whom a disclosure may be made, 
without consent, in connection with a 



health or safety emergency under 
§§ 99.31(a)(10) and 99.36. 

In most cases, when an educational 
agency or institution discloses 
education records to parents of an 
eligi ble student, we expect the 
disclosure to be made under the 
dependent student provision 
(§ 99.31(a)(8)), in connection with a 
health or safety emergency 
(§§ 99.31(a)(10) and 99.36), or if a 
student has committed a disciplinary 
violation with respect to the use or 
possession of alcohol or a controlled 
substance (§ 99.31(a)(15)). This is the 
reason we mention these provisions 
specifically in the regulations. Flowever, 
inclusion of the phrase "of any other 
provision in § 99.31(a)" in § 99.5(a)(2) is 
necessary and within our statutory 
authority because there may be other 
exceptions to FERPA 's general consent 
requirement under which an agency or 
institution might disclose education 
records to a parent of an el igi ble 
student, such as the directory 
information provision in § 99.31(a)(ll) 
and the provision permitting disclosure 
in compliance with a court order or 
lawfully issued subpoena in 
§ 99.31(a)(9). 

As we explained in the NPRM, 
institutions can determine that a parent 
cl ai ms a student as a dependent by 
asking the parent to submit a copy of the 
parent's most recent Federal income tax 
return. Flowever, wedo not think it is 
appropriate to require an agency or 
institution to rely only on the most 
recent tax return to determi ne the 
student's dependent status because 
institutions should have flexibility in 
how to reach this determination. For 
instance, institutions may rely instead 
on a student's assertion that he or she 
is not a dependent unless the parent 
provides contrary evidence. We agree 
that financial information on a Federal 
tax return is sensitive information and, 
for that reason, in providing technical 
assistance and compl iance training to 
school officials, we have advised that 
parents may redact all financial and 
other unnecessary information that 
appears on the form, as I ong as the tax 
return clearly shows the parent's or 
parents' names and the fact that the 
student is claimed as a dependent. 

In addition, in the fall of 2007, we 
developed two model forms that appear 
on the Department's Fami I y Pol icy 
Compl i ance Offi ce (F PCO or the Offi ce) 
Web site that institutions may adapt and 
provide to students at orientation to 
indicate whether they are a dependent 
and, if not, obtaining consent from the 
student for disclosure of information to 
parents: http://www.ed.gov/policy/gen/ 
gu i d/f pco/ferpa/safeschool s/ 



modelform.html and http://www.ed.gov/ 
policy/gen/guid/fpco/ferpa/safeschools/ 
modelform2.html. 

With regard to the comment about 
high school students who are 
concurrently enrolled in postsecondary 
institutions as early as ninth grade, 
FERPA not only permits those 
postsecondary institutions to disclose 
information to parents of the high 
school students who are dependents for 
Federal income tax purposes, it also 
permits high schools and postsecondary 
institutionswhoh ave d u al I y-en rol I ed 
students to share information. Where a 
student is enrolled in both a high school 
and a postsecondary institution, the two 
schools may share education records 
without the consent of either the parents 
or the student under § 99.34(b). If the 
student is under 18, the parents still 
retain the right under FERPA to inspect 
and review any education records 
maintained by the high school, 
including records that the col lege or 
university disclosed to the high school, 
even though the student is also 
attending the postsecondary institution. 

Changes: None. 

Outsourcing (§ 99.31(a)(l)(i)(B)) 

(a) Outside Parties Who Qualify as 
School Officials 

Comment: A few commenters 
disagreed with the proposal to expand 
the "school officials" exception in 
§ 99.31(a)(l)(i)(B) to include contractors, 
consultants, volunteers, and other 
outside parties to whom an educational 
agency or institution has outsourced 
institutional services or functions it 
would otherwise use employees to 
perform. They bel i eved that the 
modifications undermined the plain 
language of the statute and 
congressional intent. Several other 
commenters supported the proposed 
regulations, saying that it was helpful to 
include in the regulations what has 
historically been the Department's 
interpretation of the "school officials" 
exception. A majority of commenters, 
whi le not agreei ng or disagreei ng with 
the proposed changes in 
§ 99.31(a)(l)(i)(B), raised a number of 
issues concerning the proposal . 

Several commenters expressed 
concern that the requi rement that an 
outside party must perform an 
institutional service or function for 
which the agency or institution would 
other wise use employees is too 
restrictive and impractical. One 
commenter noted that some functions 
that a contractor performs could not be 
performed by a school official . 

Some commenters said we should 
clarify the regulations to explain the 
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circumstances under which volunteers 
may serve as school officials and have 
access to personally identifiable 
information from education records in 
connection with their services or 
responsibilities to the school. One 
commenter noted that this clarification 
was needed especial I y for parent- 
volunteers working at a school attended 
by their own children where they are 
likely to know other students and their 
families. 

Several commenters asked that we 
clarify in the regulations that 
§ 99.31(a)(1) also applies to school 
transportation officials, school bus 
drivers, and school bus attendants who 
need access to education records in 
order to safely and efficiently transport 
students. A nother commenter asked for 
clarification whether, under the 
proposed regulations, practicum 
students, fieldwork students, and 
unpaid interns in schools would be 
considered "school officials." One 
commenter asked whether § 99.31(a)(1) 
permits outsourced medical providers to 
be considered "school officials." 

One commenter asked how proposed 
§ 99.31(a)(1) would apply to parties 
other than educational agencies and 
institutions. The commenter was 
concerned about permitting SEAsto 
disclose personally identifiable 
information to outside parties under 
§ 99.31(a)(l)(i)(B) because SEAs are not 
subject to § 99.7, which requires 
educational agencies and institutions to 
annually notify parents and eligible 
students of their rights under FERPA, 
including a specific requirement in 
§ 99.7(a)(3)(iii) that an educational 
agency or institution that has a policy of 
disclosing information under 
§ 99.31(a)(1) must include in its annual 
notice a specification of criteria for 
determining who constitutes a school 
official and what constitutes a legitimate 
educational interest. A number of 
commenters requested clarification 
about the applicability of 
§ 99.31(a)(l)(i)(B) to State authorities 
that operate State longitudinal data 
systems that mai ntai n records of local 
educational agencies (LEAs) or 
institutions and are responsible for 
certain reporting requirements under 
the No Child Left Behind Act. Some of 
these commenters bel ieve that State 
authoriti es operati ng these systems are 
"school officials" under § 99.31(a)(1) 
who should be able to disclose 
education records for the purpose of 
outsourcing under § 99.31(a)(l)(i)(B). 

One commenter recommended that 
the regulations permit the disclosure of 
education records to non-educational 
State agencies for eval uation purposes 
under § 99.31(a)(1). A nother commenter 



asked that we revise the regulations to 
permit representatives of the Centers for 
Disease Control and Prevention to 
access education records for the purpose 
of public health surveillance under the 
"school officials" exception. 

Another commenter requested further 
guidance on how § 99.31(a)(1) would 
apply to local law enforcement offi cers 
who work in collaboration with schools 
in various capacities and whether 
education records could be shared with 
these offi cers i n order to ensure safe 
campuses. 

Discussion: The Secretary does not 
agree that the proposed changes to 
§ 99.31(a)(1) go beyond the plai n 
reading of the statute and congressional 
intent. As we explained in the NPRM, 
FERPA's broad definition of education 
records i ncl udes records that are 
maintained by "a person acting for" an 
educational agency or institution. 20 
U.S.C. 1232g(a)(4)(A)(ii); see34CFR 
99.3. (In floor remarks describing the 
meaning of the definition of education 
records, Senators James Buckley and 
Claiborne Pell, principal sponsors of the 
December 1974 FERPA amendments, 
specifically referred to materials that are 
maintained by a school "or by one of its 
agents." See "Joi nt Statement i n 
Explanation of Buckley/ Pel I 
Amendment" (Joint Statement), 120 
Cong. Rec. S21488 (Dec. 13, 1974).) 
Although the Secretary is concerned 
that educational agencies and 
institutions not misapply § 99.31(a)(1), 
the changes to the regulations are 
necessary to clarify the scope of the 
"school officials" exception in FERPA. 

We disagree with commenters that the 
requirement in § 99.31(a)(l)(i)(B)(l) that 
the outside party must perform an 
institutional service or function for 
which the agency or institution would 
otherwise use employees is too 
restrictive or unworkable. The 
requi rement serves to ensure that the 
"school officials" exception does not 
expand into a general exception to the 
consent requirement in FERPA that 
would allow disclosure any timea 
vendor or other outside party wants 
access to education records to provide a 
product or service to schools, parents, 
and students. As explained in the 
preceding paragraphs and in the NPRM, 
73 FR 15578-15579, the statutory basis 
for expanding the "school officials" 
exception to outside service providers is 
that they are "acti ng for" the agency or 
institution, not selling products and 
services. This means, for example, that 
a school may not use the "school 
officials" exception to disclose 
personally identifiable information from 
a student's education record, such as the 
student's SSN or student ID number, 



without consent, to an insurance 
company that wishes to offer students a 
discount on auto insurance because the 
school is not outsourcing an 
institutional service or function for 
which it would otherwise use its own 
employees. 

Further, the requirement that the 
outside party must be performing 
services or functions an employee 
would otherwise perform does not mean 
that a school employee must be able to 
perform the outsourced service i n order 
for the outsi de party to be consi dered a 
school official under 
§ 99.31(a)(l)(i)(B)(l). For example, many 
school districts outsource their legal 
services on an as-needed basis. Even 
though these school districts may have 
never hired an attorney as an employee, 
they may sti II di scl ose personal I y 
identifiable information from education 
records to outside legal counsel to 
whom they have outsourced their legal 
services. FERPA does not otherwise 
restrict whether a school may outsource 
institutional services and functions; it 
only addresses to whom and under what 
conditions personally identifiable 
information from students' education 
records may be disclosed. 

Once a school has determined that an 
outside party is a "school official" with 
a "legitimate educational interest" in 
viewing certain education records, that 
party may have access to the education 
records, without consent, in order to 
perform the required institutional 
services and functions for the school. 
These outside parties may include 
parents and other volunteers who assist 
schools in various capacities, such as 
serving on official committees, serving 
as teachers' aides, and working in 
administrative offices, where they need 
access to students' education records to 
perform their duties. 

The disclosure of education records 
under any of the conditions listed in 
§99.31, including the "school officials" 
exception, is permissive and not 
required. (Only parents and eligible 
students have a right under FERPA to 
inspect and review their education 
records.) Therefore, schools should 
always use good judgment in 
determining the extent to which 
volunteers, as well as other school 
officials, need to have access to 
education records and to ensure that 
school officials, including volunteers, 
do not improperly disclose information 
from students' education records. 

We decl i ne to adopt commenters' 
suggestion that we include in 
§ 99.31(a)(l)(i)(B) a list of the types of 
parties who may serve as school 
official sand receive personally 
identifiable information from education 
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records in connection with the 
institutional services and functions 
outsourced by the school. We think it 
would be impossible to provide a 
comprehensi ve I i sti ng and bel i eve that 
agencies and institutions are in the best 
position to make these determinations. 
At the discretion of a school, school 
officials may include school 
transportation officials (including bus 
drivers), school nurses, practicumand 
fieldwork students, unpaid interns, 
consultants, contractors, volunteers, and 
other outside parties providing 
institutional services and performing 
institutional functions, provided that 
each of the requ i rements i n 
§ 99.31(a)(l)(i)(B) has been met. 

Under § 99.31(a)(1), a university could 
outsource the practical training of 
students. The information disclosed to 
the hospital, clinic, or business 
conducting the practical training may 
only be used for the purposes for which 
it was disclosed. In theNPRM, we 
discuss in more detail the types of 
services and functions covered under 
§ 99.31(a)(l)(i)(B). (73 FR 15578-15580.) 

I n response to the comment about the 
applicability of § 99.31(a)(l)(i)(B) to 
State educational authorities that 
operate State longitudinal data systems, 
such officials are not "school officials" 
under FERPA. Rather, these officials are 
generally considered authorized 
representatives of a State educational 
authority, and LEAstypically disclose 
information from students' education 
records to a longitudinal data system 
maintained by an SEA or other State 
educational authorities under the 
exception to the consent requirement for 
d i scl osu res to authori zed 
representatives of State and local 
educational authorities, 

§ 99.31(a)(3)(iv)), not the "school 
officials" exception. This issue is 
explained in more detail elsewhere in 
this preamble under Educational 
research (§§ 99.31(a)(6), 99.31(a)(3). We 
also discuss disci osu res to non- 
educational agencies, such as to public 
health agencies, in the section of this 
preamble entitled Disclosure of 
Education Records to Non-Educational 
Agencies. 

Members of a school's law 
enforcement unit, as defined in § 99.8 of 
the regulations, who are employed by 
the agency or institution qualify as 
school officials under § 99.31(a)(l)(i)(A) 
if the school has complied with the 
notification requirements in 
§ 99.7(a)(3)(iii). As school officials, they 
may be given access to personally 
identifiable i nformation from those 
students' education records in which 
the school has determined they have 
legitimate educational interests. The 



school's law enforcement unit must 
protect the privacy of education records 
it receives and may disclose them only 
with consent or under one of the 
exceptions to consent listed in § 99.31. 
For that reason, it is advisable that 
officials of a law enforcement unit 
maintain education records separately 
from law enforcement unit records, 
which are not subject to FERPA 
requirements. As weexplained in 
Balancing Student Privacy and School 
Safety: A Guide to the Family 
Educational Rights and Privacy Act for 
Elementary and Secondary Schools, 
investigative reports and other records 
created by an institution's law 
enforcement unit are excluded from the 
definition of education records under 
§ 99.3 and, therefore, are not subject to 
FERPA requirements. Accordingly, 
schools may disclose information from 
law enforcement unit records to anyone, 
including local police and other outside 
law enforcement authorities, without 
consent. This brochure can be found on 
FPCO's "Safe Schools & FERPA" Web 
page: http://www.ed.gov/policy/gen/ 
gu i d/f pco/ferpa/safeschool s/ i ndex. html . 

Outside police officers or other non- 
employees to whom the school has 
outsourced its safety and security 
functions do not qualify as "school 
officials" under FERPA unless they 
meet each of the requ i rements of 
§ 99.31(a)(l)(i)(B). If these pol i ce offi cers 
or other outside parties do not meet the 
requirements for being a school official 
under FERPA, they may not have access 
to students' education records without 
consent, unless there is a health or 
safety emergency, a lawfully issued 
subpoena or court order, or some other 
exception to FERPA 's general consent 
requirement under which thedisclosure 
fal I s. 

With respect to our amendment to the 
"school officials" exception, we note 
that§ 99.32(d) excludes from the 
recordation requirements disclosures of 
education records that educational 
agencies and institutions make to school 
officials. This exclusion from the 
recordation requirement will apply as 
wel I to d i scl osu res to contractors, 
consultants, volunteers, and other 
outside parties to whom an agency or 
institution discloses education records 
under § 99.31(a)(l)(i)(B). The 
Department has long recognized that 
FERPA does not prevent schools from 
outsourcing institutional services and 
functions: to requ ire schools to record 
disclosures to these outside parties 
serving as school officials would be 
overly burdensome and unworkable. 

An educational agency or institution 
that complies with the notification 
requirements in § 99.7(a)(3)(iii) by 



specifying its policy regarding the 
disclosure of education records to 
contractors and other outside parties 
serving as school officials provides 
legally sufficient notice to parents and 
students regarding these disclosures. We 
have posted model notifications on our 
Web site, one for postsecondary 
institutions and onefor LEAs. See 
http://www.ed .gov/ pol i cy/gen/gu i d / 
fpco/ferpa/ps-officials.html and http:// 
www.ed.gov/policy/gen/guid/fpco/ 
ferpa/lea-officials.html. 

Changes: None. 

(b) Di rect Control 

Comment: Some commenters asked 
the Department to clarify what the term 
"direct control" means as used in 
§ 99.31(a)(l)(i)(B)(2). This section 
provi des that i n order to be consi dered 
a "school official" an outside party must 
be under the direct control of the agency 
or institution. Some commenters asked 
if this term means that the school must 
monitor the operations of the outside 
party, and how it affects an agency's or 
institution's relationship with 
subcontractors or thi rd- or fourth-party 
database hosti ng companies. One 
commenter stated that the regulations 
should not distinguish between whether 
the education records are hosted in a 
vendor's offsite network or within the 
institution's local network servers, 
whi le another commenter asked for 
clarification of how § 99.31(a)(l)(i)(B) 
applies to outsourcing electronic mail 
(e-mail) services to third parties such as 
Microsoft or Google. 

One commenter stated that 
institutions should be required to verify 
that parties to whom they outsource 
services have the necessary resources to 
safeguard education records provided to 
them. 

A commenter suggested that, instead 
of the proposed "direct control " 
standard, the Department adopt 
I an gu age si m i I ar to th e safegu ard i ng 
standard found in the Gramm-Leach- 
Bliley Act (GLB) (Pub. L. 106-102, 
November 12, 1999). The commenter 
suggested that, as adapted in FERPA, 
the standard would require that for an 
outside party, acting on behalf of an 
educational institution, to be considered 
a "school official," the institution 
would have to: (1) Take reasonable steps 
to select and retain contractors, 
consultants, volunteers, or other outside 
parti es that are capabl e of mai ntai n i ng 
appropriate safeguards with respect to 
education records; and (2) mandate by 
contract that the outsi de party 
implement and maintain such 
safeguards. 

Discussion: The term "direct control" 
in § 99.31(a)(l)(i)(B)(2), is intended to 
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ensure that an educational agency or 
institution does not disclose education 
records to an outside service provider 
unless it can control that party's 
maintenance, use, and redisclosure of 
education records. This could mean, for 
example, requiring a contractor to 
maintain education records in a 
particular manner and to make them 
available to parents upon request. We 
are revising the regulations, however, to 
provide this clarification. 

Neither the statute nor the FERPA 
regulations specifically requires that 
educational agencies and institutions 
verify that outside parties to whom 
schools outsource services have the 
necessary resources to safeguard 
education records provided to them. 
However, as discussed in theNPRM, 
educational agencies and institutions 
are responsible under FERPA for 
ensuring that they themselves do not 
have a pol icy or practice of releasi ng, 
permitting the release of, or providing 
access to personally identifiable 
information from education records, 
except in accordance with FERPA. This 
i ncl udes ensuri ng that outsi de parti es 
that provide institutional services or 
functions as "school officials" under 
§ 99.31(a)(l)(i)(B) do not maintain, use, 
or redisclose education records except 
asdirected by the agency or institution 
that disclosed the information. 

The "direct control" requirement is 
intended to apply only to the outside 
party's provision of specific 
institutional services or functions that 
have been outsourced and the education 
records provided to that outside party to 
perform the services or function. It is 
not intended to affect an outside service 
provider's status as an independent 
contractor or render that party an 
employee under State or Federal law. 

We believe that the use of the "direct 
control" standard strikes an appropriate 
balance in identifying the necessary and 
proper relationship between the school 
and its outside parties that are serving 
as "school officials." The 
recommendati on that we adopt a 
standard more closely aligned with the 
GLB standard does not appear workable, 
especially with regard to requiring that 
schools enter i nto formal contracts with 
each outside party performi ng services, 
including parent-volunteers. However, 
oneway in which schools can ensure 
that parties understand their 
responsibilities under FERPA with 
respect to education records is to clearly 
describe those responsibilities in a 
written agreement or contract. 

Exercising direct control could prove 
more challenging in some situations 
than in others. Schools outsourcing 
information technology services, such as 



web-based and e-mail services, should 
make cl ear i n thei r servi ce agreements 
or contracts that the outside party may 
not use or al low access to personal I y 
identifiable information from education 
records, except in accordance with the 
requirements established by the 
educational agency or institution that 
disci oses the information. 

Changes: We have revised 
§ 99.31(a)(l)(B)(2) to clarify that the 
outside party must be under the direct 
control of the agency or institution with 
respect to the use and mai ntenance of 
information from education records. 

(c) Protection of Records by Outside 
Parties Serving as School Officials 

Comment: We received several 
comments on proposed 
§ 99.31(a)(l)(i)(B)(3), which provides 
that an outsi de party servi ng as a 
"school official" is subject to the 
requirement in § 99.33(a), regarding the 
use and redisclosure of personally 
identifiable information from education 
records. One commenter stated that, 
whilehe supported and welcomed this 
clarification, the proposed regulations 
did not go far enough to clarify that 
these outside third parties could not use 
education records of multiple 
institutions for which they serve as a 
contractor to engage i n activities not 
associated with the service or function 
they were providing. 

Some commenters suggested that the 
regulations should require all school 
officials who handle education records, 
including parties to whom institutional 
services and functions are outsourced, 
to participate in annual training and to 
undergo fingerprint and background 
investigations. 

Another commenter stated that any 
disclosures associated with the 
outsourcing of institutional services and 
functions should includea record that 
will serve as an audit trail. The 
commenter noted that both the Health 
Insurance Portability and 
Accountability Act (HIPAA) and the 
Privacy Act of 1974 require the 
mai ntenance of aud i t trai I s or an 
accounting of disclosures of records. 

Discussion: An agency or institution 
must ensure that an outside party 
providing institutional services or 
functions does not use or allow access 
to education records except in strict 
accordance with the requi rements 
established by the educational agency or 
institution that discloses the 
information. Section 99.33(a)(2) of the 
FERPA regulations applies to employees 
and outsi de servi ce provi ders al i ke and 
prohibits the recipient from using 
education records for any purpose other 
than the purposes for which the 



disclosure was made. This includes 
ensuring that outside parties do not use 
education records in their possession for 
purposes other than those specified by 
the institution that disclosed the 
records. 

FERPA does not specifically require 
that educational agencies and 
institutions provide annual training to 
school officials that handle education 
records, and we decline to establish 
such a requirement in these regulations. 
Educational agencies and institutions 
should have flexibility in determining 
the best way to ensure that school 
officials are made aware of the 
requi rements of FERPA. However, for 
entities subject to the Individuals with 
Disabilities Education Act (IDEA), 34 
CFR 300.623(c) provides that all persons 
collecting or using personally 
identifiable information must receive 
training or instruction regarding their 
State's pol icies and procedures under 34 
CFR 300.123 (Confidentiality of 
personally identifiable information) and 
34 CFR Part 99, the FERPA regulations. 
We note that while schools are certainly 
free to implement a policy requiring 
school officials and parties to whom 
services have been outsourced to 
undergo fi ngerpri nt and background 
investigations, there is no statutory 
authority in FERPA to include such a 
requirement in the regulations. 

We note al so that the Department 
routinely provides compliance training 
on FERPA for school officials. 

Typically, presentations are made 
throughout the year to national, 
regional, or State educational 
association conference workshops with 
numerous institutions in attendance. 

Trai ni ng sessi ons are al so schedu I ed for 
State departments of education and 
local school districts in the vicinity of 
any conference. 

For a discussion of the comment that 
recommended that the regulations 
requi re that schools maintain an audit 
trail or an accounting of disclosures to 
school officials, including outside 
providers, seethediscussion under the 
following section entitled Control of 
Access to Education Records by School 
Officials. 

Changes: None. 

Control of Access to Education Records 
by School Officials (§ 99.31(a)(l)(ii)) 

Comment: Many commenters 
supported proposed § 99.31(a)(l)(ii), 
which requires an educational agency or 
institution to use reasonable methods to 
ensure that school officials have access 
to only those education records in 
which the official has a legitimate 
educational interest. In thissection, we 
also proposed that an educational 
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agency or institution that does not use 
physical or technological access 
controls must ensure that its 
ad mi n i strati ve pol i cy for control ling 
access to education records is effective 
and that it remains in compliance with 
the "legitimate educational interest” 
requirement. 

One commenter who supported the 
proposed regulations expressed concern 
that not all districts and institutions 
have the financial or technological 
resources to create or purchase an 
electronic system that provides fully 
automated access control and that an 
institution using only administrative 
controls would be required to 
demonstrate that each school official 
who accessed education records 
possessed a legitimate educational 
interest in the education records to 
which the official gained access. 
According to the commenter, the 
regulations seem to omit the 
"reasonable methods" concept for those 
school s that uti I i ze ad mi n i strati ve 
controls rather than physical or 
technological controls. The commenter 
was concerned that smal I er school s that 
lack resources to create or purchase a 
system that ful ly monitors record access 
would be disadvantaged by having to 
meet a higher standard of ensuring a 
legitimate educational interest on the 
part of the school officials that access 
the records. 

One commenter expressed concern 
that the standard in § 99.31(a)(l)(ii) is 
too restrictive and asked whether the 
Department would use flexibility and 
deference in taking into consideration 
an institution's efforts in compliance 
with the requirement. 

Another commenter requested that we 
include in the regulations a requirement 
that contractors hosti ng data at offsite 
locations must i nstitute effective access 
control measures. The commenter stated 
that many schools and contractors are 
uncertain as to whether the school or 
the contractor is responsible for 
ensuri ng that access control s are appl i ed 
to data hosted by contractors. 

One commenter stated that the 
regulations created an unnecessary 
burden, as school districts already do 
their best to comply with FERPA and an 
occasional mistake should be excused. 
The commenter, however, was pleased 
that the regulations do not require the 
use of technological controls. The 
commenter was concerned that schools 
are unable to pre-assign risk levels to 
categories of records i n order to 
determine appropriate methods to 
mitigate improper access. The 
commenter supported the use of 
effecti ve ad mi ni strati ve control s as 
determined by a district to ensure that 



i nformati on i s avai I abl e onl y to those 
with a legitimate educational interest. 

One commenter expressed concern 
that the requirement to use reasonable 
methods to ensure appropriate access 
was not sufficiently restrictive, because 
under the regulations, all volunteers 
would be designated as school officials. 
The commenter bel ieved that the 
regu I ati ons wou I d enabl e vol u nteers to 
gain access more easily to confidential 
and sensitive information in education 
records. 

A commenter who is a parent of a 
special education student also 
expressed concern that the language in 
the regulations was not adequate. The 
commenter described a software 
package used by her district that permits 
all school officials unrestricted access to 
thelEPsofall special education 
students. 

Discussion: Section 99.30 requires 
that a parent or el igi ble student provide 
written consent for a disclosure of 
personally identifiable information from 
education records unless the 
ci rcumstances meet one of the 
exceptions to consent, such as the 
release of i nformati on to a school 
official with a legitimate educational 
interest. Thus, a district or institution 
that makes a disclosure solely on the 
basisthat the individual isaschool 
official violates FERPA if it does not 
also determine that the school official 
has a legitimate educational interest. 

The regulations in § 99.31(a)(l)(ii) are 
designed to clarify the responsibility of 
the educational agency or institution to 
ensure that access to education records 
by school officials is limited to 
circumstances in which the school 
offi ci al possesses a I egi ti mate 
educational interest. 

We bel ieve that the standard of 
"reasonable methods" is sufficiently 
flexible to permit each educational 
agency or institution to select the proper 
balance of physical, technological, and 
ad mi n i strati ve control s to effecti vel y 
prevent unauthorized access to 
education records, based on their 
resources and needs. In order to 
establish a system driven by physical or 
technological access controls, a school 
would generally first determine when a 
school official has a legitimate 
educational interest in education 
records and then determine which 
physical or technological access 
controls are necessary to ensure that the 
official can access only those records. 
The regulations require a school that 
uses only administrative controlsto 
ensure that its administrative policy for 
control ling access to educati on records 
is effective and that the school is in 
compliance with the legitimate 



educational i nterest requi rement i n 
§ 99.31(a)(l)(i)(A). Flowever, the 
"reasonable methods" standard appl ies 
whether the control is physical, 
technological, or administrative. 

The regulations permit the use of a 
variety of methods to protect education 
records, in whatever format, from 
improper access. The Department 
expects that educational agencies and 
institutions will general I y make 
appropriate choices in designing records 
access controls, but the Department 
reserves the ri ght to eval uate the 
effectiveness of those efforts i n meeti ng 
statutory and regulatory requirements. 

The additional language that one 
commenter requested concerning 
outsourcing is already included in the 
regulations in § 99.31(a)(1). That section 
specifi cal ly provides that contractors are 
subject to the same conditions 
governing the access and use of records 
that apply to other school officials. As 
long as those conditions are met, the 
physical location in which the 
contractor provides the service is not 
rel evant. 

Because the regulations permit the 
use of a vari ety of methods to effecti vel y 
reduce the risk of unauthorized access 
to education records, we do not believe 
the requ i rement to establ i sh " reasonabl e 
methods" for controlling access is 
unduly burdensome. Schools have the 
flexibility to decide the method or 
methods best suited to thei r own 
circumstances. For the many schools, 
districts, and institutions that already 
meet the standard, no operational 
changes should be necessary. 

The regulations do not designate all 
volunteers as school officials. Rather, 
the regulations clarify that schools may 
designate volunteers as school officials 
who may be provided access to 
education records only when the 
volunteer hasa legitimate educational 
interest. School scan and should 
caret u 1 1 y assess and limit access by an y 
school official, including volunteers. 
This issue is discussed in more detail 
previously in this preamble under the 
section entitled Outsourcing. 

With regard to the parent who 
expressed concern that the language in 
the regulations was not adequate to 
address the problem of software that 
permits all school officials to access the 
lEPsof all special education students, 
we bel ieve that the language in 
§ 99.31(a)(1)(H) is sufficient. As 
previously noted, FERPA prohibits 
school officials from having access to 
education records unless they have a 
legitimate educational interest. The 
commenter's poi nt i 1 1 ustrates the need 
for educational agencies and institutions 
to ensure that adequate controls are in 
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place to restrict access to education 
records only to a school official with a 
legitimate educational interest. 

Changes: None. 

T ransfer of Education Records to 
Students New School (§§ 99.31(a)(2) 
and 99.34(a)) 

Comment: All of the comments we 
received on proposed §§ 99.31(a)(2) and 
99.34(a) supported the clarification that 
an educational agency or institution 
may disclose a student's education 
records to officials of another school, 
school system, or institution of 
postsecondary education notjustwhen 
the student seeks or intends to enroll, 
but after the student is already enrol led, 
so long as the disclosure is for purposes 
related to the student's enrol I mentor 
transfer. Some commenters noted that 
this clarification reduces legal 
uncertainty about how long a school 
may conti nue to send records or 
information to a student's new school; 
other commenters noted that this 
clarification will be helpful in serving 
students who are homeless or in foster 
care because these students are often 
already enrolled in a new school system 
while waiti ngfor records from a 
previ ous en rol I ment. 

A few commenters asked us to clarify 
the requi rement that the disclosure must 
be for purposes related to the student's 
enrol I ment or transfer. The commenters 
asked whether this meantthatonly 
records specifi cal ly related to the new 
school 's deci si on to admi t the student or 
records related to the transfer of course 
credit could be disclosed, or whether 
the agency or institution could also 
disclose information about previously 
undisclosed disciplinary actions related 
to the student's ongoi ng attendance at 
the new institution. Onecommenter 
suggested that we remove the 
requi rement that the disclosure must be 
for purposes of the student's enrollment 
or transfer because it was confusi ng and 
unnecessary. Some commenters asked 
the Department to provide guidance 
about the types of records that may be 
sent under the regulations to a student's 
new school, noting that the preamble to 
the NPRM stated that the regulations 
allow school officials to disclose any 
and all education records, including 
health and disciplinary records, to the 
new school (73 FR 15581). 

One commenter asked us to clarify 
that any school, not just the school the 
student attended most recently, may 
disclose information from education 
records to the institution that the 
student currently attends. Another 
commenter asked whether the amended 
regu I ati ons wou I d permi t the d i scl osure 
of education records to an institution in 



which a student seeks i nformation or 
services but not enrol I ment, such as 
when a charter school student requests 
an evaluation under the IDEA from the 
student's home school district. 

Two commenters asked whether 
mental health and other treatment 
records of postsecondary students, 
which are excluded from the definition 
of education records under FERPA, 
could be disclosed to the new school. 
Other commenters asked whether 
FERPA places any limits on the transfer 
of information about student 
disciplinary actions to colleges and 
universities and what information a 
postsecondary institution may ask for 
and receive regarding a student's 
disciplinary actions. A few commenters 
asked u s to ad d ress th e rel ati on sh i p 
between these regulations and guidance 
issued by the Department's Office for 
Civil Rights (OCR) prohibiting the pre- 
admission rel ease of i nformati on about 
a student's disability under section 504 
of the Rehabi I itation Act of 1973, as 
amended, and Title II of the Americans 
w i th Di sabi I i ti es A ct of 1990, as 
amended. 

Discussion: The regulations are 
i ntended to el i mi nate uncertai nty about 
whether, under § 99.31(a)(2), an 
educational agency or institution may 
send education records to a student's 
new school even after the student is 
already enrolled and attending the new 
school. The requi rement that the 
di scl osure must be for purposes rel ated 
to the student's enrol I ment or transfer is 
not intended to limit the kind of records 
that may be disclosed under this 
exception. Instead, the regulations are 
intended to clarify that, after a student 
has already enrolled in a new school, 
the student's former school may 
disclose any records or information, 
including health records and 
information about disciplinary 
proceedings, that it could have 
disclosed when the student was seeking 
or intending to enroll in the new school. 

These regulations apply to any school 
that a student previously attended, not 
just the school that the student attended 
most recently. For example, under 
§ 99.31(a)(2), a student's high school 
may send education records directly to 
a graduate school in which the student 
seeks admission, or isal ready enrolled. 
Section 99.34(b), which explains the 
conditions that apply to the disclosure 
of information to officials of another 
school, school system, or postsecondary 
institution, allowsa public charter 
school or other agency or institution to 
di scl ose the educati on records of one of 
its students i n attendance to the 
student's home school district if the 
student receives or seeks to receive 



services from the home school district, 
including an evaluation under the IDEA. 
We note, however, that the 
confidentiality of information 
regulations under Part B of the IDEA 
contain additional consent requirements 
that may also apply in these 
circumstances. 

Under section 444(a)(4)(B)(iv) of 
FERPA, 20 U.S.C. 1232g(a)(4)(B)(iv), 
medical and psychological treatment 
records of el i gi bl e students are excl uded 
from the definition of education records 
if they are made, maintained, and used 
only in connection with treatment of the 
student and disclosed only to 
individuals providing the treatment, 
including treatment provi ders at the 
student's new school. (Whilethe 
comment concerned records of 
postsecondary students, we note that 
the treatment records excepti on to the 
definition of education records applies 
also to any student who is 18 years of 
age or older, including 18 year old high 
school students.) An educational agency 
or institution may disclose an eligible 
student's treatment records to the 
student's new school for purposes other 
than treatment provided that the records 
are disclosed under one of the 
exceptions to written consent under 
§ 99.31(a), including § 99.31(a)(2), or 
with the student's written consent 
under § 99.30. If an educational agency 
or institution discloses an eligible 
student's treatment records for purposes 
other than treatment, the treatment 
records are no longer excluded from the 
definition of education records and are 
subject to all other FERPA requirements, 
i ncl udi ng the right of the el i gi ble 
student to inspect and review the 
records and to seek to have them 
amended under certain conditions. In 
practical terms, this means that an 
agency or institution may disclose an 
el i gi bl e student's treatment records to 
the student's new school either with the 
student's written consent, or under one 
of the exceptions in § 99.31(a), 
including § 99.31(a)(2), which permits 
disclosure to a school where a student 
seeks or intends to enroll, or where the 
student is already enrolled so long as 
the disclosure is for purposes related to 
the student's enrol I ment or transfer. 

FERPA does not contain any 
particular restrictions on the disclosure 
of a student's disciplinary records. 
Further, Congress has enacted 
legislation to ensure that schools 
transfer disciplinary records to a 
student's new school in certain 
circumstances. In particular, section 
444(h) of the statute, 20 U.S.C. 1232g(h), 
and the implementing regulations in 
§ 99.36(b) provide that nothing in 
FERPA prevents an educational agency 
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or institution from including in a 
student's records and disci osi ng to 
teachers and school officials, including 
those in other schools, appropriate 
information about disciplinary actions 
taken agai nst the student for conduct 
that posed a significant risk to the safety 
or wel I -bei ng of that student, other 
students, or other members of the school 
community. This authority is in 
addition to any other authority in 
FERPA for the disclosure of education 
records without consent, i ncl udi ng the 
authority under § 99.36(a) to disclose 
education records in connection with a 
health or safety emergency. In addition, 
section 4155 of the Elementary and 
Secondary Education Act of 1965 
(ESEA), 20 U.S.C. 7165, as amended by 
the No Child Left Behind Act of 2001 
(NCLB), requires a State that receives 
funds under the ESEA to have a 
procedure i n place to faci I itate the 
transfer of disciplinary records, with 
respect to a suspension or expulsion, by 
LEAsto any private or public 
elementary school or secondary school 
for any student who is enrol led or seeks, 
intends, or is instructed to enroll, on a 
fu 1 1 -or part-ti me basi s, i n the school . 

There are, however, other Federal 
laws, such as the IDEA, section 504 of 
the Rehabilitation Act of 1973, as 
amended (Rehabilitation Act), and Title 
II of theAmericans with Disabilities Act 
of 1990, as amended (ADA), with 
different requi rements that may affect 
the release of student i nformation. For 
example, educational agencies and 
institutions that are "public agencies” 
or "participating agencies" under the 
IDEA must comply with the 
requi rements i n the Part B 
confidentiality of information 
regulations. See, e.g., 34CFR 
300.622(b)(2) and (3). By way of further 
illustration, because educational 
agencies and institutions receive 
Federal financial assistance, they must 
comply with the regulations 
implementing section 504 of the 
Rehabilitation Act, which generally 
prohibit postsecondary institutions from 
making pre-admission inquiries about 
an applicant's disability status. See 34 
CFR 104.42(b)(4) and (c). However, after 
admission, in connection with an 
emergency and if necessary to protect 
the health or safety of a student or other 
persons as defi ned under FERPA and its 
implementing regulations, section 504 
of the Rehabilitation Act and Title II of 
the A DA do not prohibit postsecondary 
institutions from obtaining information 
and education records concerning a 
current student, i ncl udi ng those with 
disabilities, from any school previously 
attended by the student. Seethe 



discussion in the section entitled Health 
or Safety Emergency (§ 99.36). 

Changes: None. 

Ex Parte Court Orders Under the USA 
Patriot Act (§ 99.31(a)(9)) 

Comment: T wo commenters 
expressed support for the proposed 
regulations, which incorporate statutory 
changes that allow an educational 
agency or institution to comply with an 
ex parte court order issued under the 
USA Patriot Act. One commenter said 
that it would be helpful to add to the 
regu I ati ons a statement from the 
preambleto the NPRM that an 
institution is not responsible for 
determi ning the relevance of the 
information sought or the merits of the 
underl yi ng cl ai m for the court order. 

Several commenters opposed 
§ 99.31(a)(9). One commenter said that 
the USA Patriot Act is unconstitutional 
and that its provisions will sunset in 
2009. Another commenter said that the 
regulations harm its ability to preserve 
the confidentiality of education records, 
parti cu I arl y those of forei gn students. 
The commenter asked us to change the 
regulations to permit institutions to 
notify students when records are 
requested, unless the ex parte court 
order specifi cal ly states that the student 
should not be notified. Another 
commenter said that schools should be 
required to notify parents when records 
are requested and to record the 
disclosure. 

Discussion: The USA Patriot Act 
amendments to FERPA have not been 
ruled unconstitutional, and its 
provisions relevant to FERPA do not 
sunset in 2009. Therefore, we are 
implementing these provisions in our 
regu I ati ons at th i s ti me. 

Under the USA Patriot Act, theU.S. 
Attorney General, or a designee in a 
position not lower than an Assistant 
Attorney General, may apply for an ex 
parte court order to col lect, retai n, 
disseminate, and use certain education 
records in the possession of an 
educational agency or institution 
without regard to any other FERPA 
requirements, including in particular 
the recordkeeping requirements. 20 
U.S.C. 1232g(j)(3) and (4). The USA 
PatriotAct amendments to FERPA also 
provide that an educational agency or 
institution that complies in good faith 
with the court order isnot liableto any 
person for producing the information. 
Nothing in these amendments, 
including the "good faith" requirement, 
requires an educational agency or 
institution to evaluate theunderlying 
merits or legal sufficiency of the court 
order before disclosi ng the requested 
information without consent. As with 



any court order or subpoena that forms 
the basis of a disclosure without consent 
under § 99.31(a)(9), the agency or 
institution must simply determine 
whether the ex parte court order is 
facially valid. We see no reason to 
include this general requirement in the 
regulations. 

Section 99.31(a)(9)(ii) requires an 
agency or institution to make a 
reasonable effort to notify a parent or 
eligible student of a judicial order or 
lawfully issued subpoena in advance of 
compliance, except for certain law 
enforcement subpoenas if the court has 
ordered the agency or institution not to 
d i scl ose the exi stence or contents of the 
subpoena or information disclosed. An 
ex parte order is by definition an order 
issued without notice to or argument 
from the other party, including the party 
whose education records are sought, 
andtheUSA Patriot Act amendments 
provi de that the Attorney General may 
collect and use the records without 
regard to any FERPA requirements, 
including the recordation requirements. 
Under this statutory authority, the 
regulations properly provide that the 
agency or institution is not required to 
notify the parent or eligi ble student 
before complying with the order or to 
record the disclosure. 

We do not agree with the commenter's 
request that we amend the regulations to 
allow agencies and institutions to notify 
parents and students and record these 
disclosures. We note that FERPA does 
not prohibit an educational agency or 
institution from notifying a parent or 
student or recording a disclosure made 
in compliance with an ex parte court 
order under the USA PatriotAct. 
However, an agency or institution that 
does so may vi ol ate the terms of the 
court order itself and may also fail to 
meet the good faith requi rements i n the 
U SA Patri ot A ct for avoi di ng I iabi I ity for 
the disclosure. We would also 
recommend that agencies and 
institutions consult with legal counsel 
before notifying a parent or student or 
recordingadisclosureofeducation 
records made in compliance with an ex 
parte court order under the USA Patriot 
Act. 

Changes: None. 

Registered Sex Offenders 
(§ 99.31(a)(16)) 

Comment: One commenter asked for 
clarification whether the proposed 
regu lationsauthorizingthediscl osu re of 
personally identifiable information from 
education records concerning registered 
sex offenders authorize only the 
disclosure of information that is 
received from local law enforcement 
officials, or whether disclosure could 
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also include other information from a 
student's education records, such as 
campus of attendance. A second 
commenter expressed appreciation that 
the regulations clarify that school 
districts are not required or encouraged 
to col I ect or mai ntai n i nformati on on 
registered sex offenders and that these 
disclosures are permissible but not 
required. 

Discussion: The Campus Sex Cri mes 
Prevention Act(CSCPA) amendments to 
FERPA allow educational agencies and 
institutions to disclose any information 
concerning registered sex offenders 
provided to the agency or institution 
under section 170101 of the Violent 
Cri me Control and Law Enforcement 
Act of 1994, 42 U.S.C. 14071, commonly 
known as the Wetterling Act. Since 
publication of the NPRM, we have 
determined that the proposed 
regulations were confusing, because 
they limited these disclosures to 
information that was obtained and 
disclosed by an agency or institution in 
compliance with a State community 
notification program. In fact, theCSCPA 
amendments to FERPA cover any 
information provided to an educational 
agency or institution under the 
Wetterling Act, including not only 
information provided under general 
State community notification programs, 
which are required under subsection (e) 
of the Wetterling Act, 42 U.S.C. 

14071(e), but also information provided 
under the more specific campus 
community notification programs for 
institutions of higher education, which 
are required under subsection (j), 42 
U.S.C. 14071(j). 

The Wetterling Act requires States to 
release relevant information about 
persons required to register as sex 
offenders that is necessary to protect the 
public, including specific State 
reporti ng requ i remen ts for I aw 
enforcement agencies having 
jurisdiction over institutions of higher 
ed ucati on . T he excepti on to the consent 
requirement in FERPA allows 
educational agencies and institutions to 
make avai I able to the school community 
any information provided to it under the 
Wetterling Act. We interpret this to also 
include any additional information 
about the student that is relevant to the 
purpose for which the information was 
provided to the educational agency or 
institution— protecting the public. This 
could include, for example, the school 
or campus at which the student is 
enrolled. 

The proposed regulations included a 
sentence stating that FERPA does not 
requ ire or encourage agencies or 
institutions to collector mai ntain 
information about registered sex 



offenders. We have determined through 
further review, however, that this 
sentence could be confusi ng and should 
be removed. Participating institutions 
are required under section 485(f)(1) of 
the Higher Education Act of 1965, as 
amended, 20 U.S.C. 1092(f)(1), to advise 
the campus community where it may 
obtain law enforcement agency 
information provided by the State under 
42 U.S.C. 14071(j) concerning registered 
sex offenders. Further, the Department 
does not wish to discourage educational 
agencies and institutions from 
di scl osi ng rel evant i nformati on about a 
registered sex offender in appropriate 
circumstances. 

Changes: We have revised the 
regu I ati ons to remove the reference to 
the disclosure of information obtained 
by the educational agency or institution 
in compliance with a State community 
notification program. The regulations 
now simply allow disclosure without 
consent of any information concerning 
registered offenders provided to an 
educational agency or institution under 
42 U.S.C. 14071 and applicable Federal 
guidelines. Wealso have removed the 
sentence stati ng that neither FERPA nor 
the regulations requires or encourages 
agencies or institutions to col I ect or 
maintain information about registered 
sex offenders. 

Redisclosure of Education Records and 
Recordkeeping by State and Local 
Educational Authorities and Federal 
Officials and Agencies (§§ 99.31(a)(3); 
99.32(b); 99.33(b); 99.35(a)(2); 99.35(b)) 

(a) Redisclosure 

Comment: We received a number of 
comments on the proposed changes in 
§ 99.35(b) that would permit State and 
local educational authorities and 
Federal officials and agencies listed in 
§ 99.31(a)(3) to redisclose personally 
identifiable information from education 
records on behalf of educational 
agencies and institutions without 
parental consent under the existing 
redisclosure authority in § 99.33(b). 
(Section 99.33(b) allows an educational 
agency or institution to disclose 
personally identifiable information from 
education records with the 
understand i ng that the red pi ent may 
make further d i scl osu res of the 
information on behalf of the agency or 
institution if thedisclosure falls under 
one of the exceptions in § 99.31(a) and 
the agency or institution has complied 
with the recordation requirements in 
§ 99.32(b).) Many commenters said that 
the proposed change would ease 
administrative burdens on State and 
local educational authorities, agencies, 
and institutions. For example, under the 



proposed regulations, a student's new 
school district or institution would be 
able to obtain the student's prior 
education recordsfrom a single State 
agency instead of contacting and 
waiti ng for records from separate 
districts or institutions. Commenters 
noted, however, that certai n issues had 
not been addressed in the proposed 
regulations and that further clarification 
was required. Commenters also 
supported the new redisclosure 
authority to the extent that it faci I itates 
the exchange of education records 
among State educational authorities, 
educational agencies and institutions, 
and educational researchers through 
consol idated, statewide systems or 
separate data shari ng arrangements. 

T wo commenters expressed 
substantial concerns that the regulations 
inappropriately expanded the situations 
in which personally identifiable 
information could be redisclosed 
without parental or student consent. 

One commenter noted that the 
theoretical benefits of maintaining large, 
consolidated data systems, which allow 
users to track individual students over 
time, do not outweigh the need to 
protect individual privacy. Another 
commenter stated that the regulations 
should notallow State and local 
educational authorities and the Federal 
official sand agencies listed in 
§ 99.31(a)(3) to set up and operate 
record systems contai ni ng personal I y 
identifiable information that parents 
and students have no right to review or 
amend, and may not even know about. 
Barring the withdrawal of these 
regulations, these commenters urged the 
Department to strengthen or at least 
preserve the safeguards and protections 
that accompany this new data sharing 
authority. One commenter asked us to 
requi re any State or Federal entity that 
maintains education records to provide 
parents and students with annual 
notification and the right to review and 
amend the students' records. 

Many commenters indicated their 
strong support for allowing State 
educational authorities to respond to 
requests for information from education 
records and redisclose personally 
identifiable information, whether for 
data shari ng systems, transferri ng 
records to a student's new school, or 
other purposes authorized under 
§ 99.31(a), without involving school 
districts and postsecondary institutions. 
These commenters general ly thought 
that State educational authorities and 
Federal officials listed in § 99.31(a)(3) 
should not be required to consult with 
educational agencies and institutions 
when redisclosing information from 
education records. One commenter 
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asked us to clarify the role of the SEA 
or other State educational authority as 
the custodian of education records and 
its authority to act for educational 
agencies and institutions. Several 
commenters urged us to revise the 
regulations to make cl ear that the 
redisclosing official is authorized to 
make further disclosures under 
§ 99.31(a) without approval from, or 
further consultation with, the original 
source of the records and mai ntai n the 
appropriate record related to the 
redisclosure. 

Onecommenter said that the 
regulations must al low State 
educational authorities to transfer 
records on behalf of LEAs and 
postsecondary institutions. One 
commenter strongly supported the 
changes in § 99.35(b) because they 
would allow the State McKinney-Vento 
coord i nator to control transfer of 
education records of abused and 
homeless students to their new schools 
and prevent potential abusers from 
locating the student. 

Some commenters bel i eved that 
current regulations impede the ability of 
States to establ ish and operate data 
sharing systems and that regulatory 
changes must al low al I educational 
agencies, institutions, SEAs, and other 
State educational authorities to 
exchange data among themselves and 
work with researchers. Onecommenter 
recommended that we create a specific 
exception in § 99.31(a) that would allow 
data shari ng across State educati onal 
authorities in order to establ ish and 
operate consolidated, longitudinal data 
systems. 

Several commenters asked for 
clarification of the requirement in 
§ 99.35(a)(2) that authority for an agency 
or official listed in § 99.31(a)(3) to 
conduct an audit, evaluation, or 
compl i ance or enforcement acti vi ty i s 
not conferred by FERPA or the 
regulations and must be established 
under other Federal, State, or local law, 
including valid administrative 
regulations. One commenter supported 
data shari ng among pre-school , K- 12, 
and postsecondary institutions, 
provided that appropriate legal 
authority for the underlying audit, 
evaluation, or compliance and 
enforcement activity is establ ished as 
required under § 99.35(a)(2). One 
commenter asked whether citation to a 
specific law or regulations will be 
required, or whether general State laws 
that provide joint authority to evaluate 
programs at all levels are sufficient for 
parties to enter i nto data shari ng 
agreements under the regulations. 

Onecommenter indicated that its 
State has no laws or regulations that 



spec i f i cal I y al I ow th e State- 1 evel 
advisory council to audit or evaluate 
education programs, or that allow a K- 
12 school district to audit or evaluate 
the programs offered by postsecondary 
institutions, and vice versa, and the 
commenter asked whether general 
authority for these entities to act under 
State I aw would be sufficient. Two 
commenters whose States do not house 
their K-12 and postsecondary systems 
withi n the same agency expressed 
concern whether they will be able to 
develop consolidated databases under 
the regulations if their K-12 and 
postsecondary agencies do not have 
appropriate authority to audit or 
evaluate each other's programs. 

Discussion: Wecontinueto believe 
that State and local educational 
authorities and Federal officials that 
receive educati on records under 
§§ 99.31(a)(3) and 99.35 should be 
permitted to redisclose education 
records on behalf of educational 
agencies and institutions in accordance 
with the existing regulations governing 
the red i scl osu re of i nformati on i n 
§ 99.33(b). We agree with the 
commenters that thi s change wi 1 1 ease 
administrative burdens at all levels and 
facilitate the creation and operation of 
statewide data shari ng systems that 
support the student achievement, 
program accountabi I ity, transfer of 
records, and other objectives of Federal 
and State education programs while 
protecti ng the privacy rights of parents 
and students in students' education 
records. 

We respond first to commenters' 
concerns about the requirement in 
§ 99.33(b) that any rediscl osu re of 
personally identifiable information from 
education records must be made on 
behalf of the educational agency or 
institution that disclosed the 
information to the receiving party, 
including any requirement for 
consulting with or obtaining approval 
from the educational agency or 
institution that disclosed the 
information. The statutory prohibitions 
on the redisclosure of education records 
apply to education records that SEAs, 
State higher educational authorities, the 
Department, and other Federal officials 
receive under an exception to the 
written consent requirement in FERPA, 
such as §§ 99.31(a)(3) and 99.35 (for 
audit, evaluation, compliance and 
enforcement purposes) and § 99.31(a)(4) 
(for financial aid purposes). As 
explained in the preamble to the NPRM, 
§ 99.33(b) allows an educational agency 
or institution to disclose education 
records with the understandi ng that the 
recipient may make further disclosures 
on its behalf under one of the 



exceptions in § 99.31 (73 FR 15586- 
15587). In that case, the disclosing 
agency or institution must record the 
names of the additional parties to which 
the receiving party may redisclose the 
information on behalf of the educational 
agency or institution and their 
legitimate interests under § 99.31. 

Under the regulatory framework for 
redisc losing educati on records in 
§ 99.33(b), educational agencies and 
institutions retain primary 
respon si bi I i ty for d i sc I osi n g an d 
authorizing redisclosure of their 
education records without consent. (We 
note again that the only disclosures of 
education records that are mandatory 
under FERPA are those made to parents 
and el i gi ble students.) The purpose of 
§ 99.33(b), which allows redisclosure of 
education records notwithstanding the 
general statutory restrictions, has always 
been to ease ad mi ni strati ve burdens on 
educational agencies and institutions 
that disclose education records. The 
legal basis for this accommodation is 
that the red pient is acti ng "on behalf 
of” the agency or institution from which 
it received information from education 
records and making a further disclosure 
that the agency or institution would 
otherwise make itself under § 99.31(a). 
Section 99.33(b) does not confer on any 
recipient of education records 
independent authority to redisclose 
those records apart from acting "on 
behalf of" the disclosing educational 
agency or institution. 

The Department recognizes that the 
State and local educational authorities 
and Federal officials that receive 
education records without consent 
under § 99.31(a)(3) are responsi bl e for 
supervising and monitoring educational 
agencies and institutions and that many 
of them al so mai ntai n central i zed data 
systems that consti tute a val uabl e 
resource of information from education 
records. The proposed changes to 
§ 99.35(b) would allow these State and 
Federal authorities and officials to 
redisclose information received under 
§ 99.31(a)(3) under any of the exceptions 
in § 99.31(a), including transferring 
education records to a student's new 
school under § 99.31(a)(2), sharing 
information among other State and local 
educational authorities and Federal 
officials for audit or evaluation purposes 
under § 99.31(a)(3), and using 
researchers to conduct evaluations and 
studies under § 99.31(a)(3) or 
§ 99.31(a)(6), without violating the 
statutory prohibitions on redisclosing 
education records provided certain 
conditions have been met. In the event 
that an educational agency or institution 
objectstotheredisclosureof 
information it has provided, the State or 
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local educational authority or Federal 
official or agency may rely instead on 
any independent legal authority it has to 
further disclose the information. 

We agree that current regulations 
were unci ear about the abi I i ty of States 
to establ ish and operate data shari ng 
systems with educational agencies and 
institutions, which is why we amended 
§ 99.35(b). As explained in the NPRM 
(73 FR 15587), §§ 99.35(a)(2) and 
99.35(b) allow SEAs, higher education 
authorities, and educational agencies 
and institutions, including local school 
districts and postsecondary institutions, 
to share education records in personally 
identifiable form with one another, 
provided that Federal, State, or local 
law authorizes the recipient to conduct 
the audit, evaluation, or compliance or 
enforcement activity in question. 
Accordingly, data sharing arrangements 
among State and local educational 
authorities and educational agencies 
and institutions generally must meet 
these requ i remen ts to be permi ssi bl e 
under FERPA. (Data sharing with 
educational researchers is discussed 
below under Educational research.) 

With respect to the comments 
recommendi ng that we create a specific 
exception in § 99.31(a) to allow data 
shari ng across State educati onal 
authorities in order to establ ish and 
operate consolidated, longitudinal data 
systems and other data shari ng 
arrangements, there is no provision in 
FERPA that allows disclosure or 
redisclosure of education records, 
without consent, for the specific 
purpose of establ i shi ng and operati ng 
consolidated databases and data sharing 
systems, and, therefore, we are without 
authority to establish one in these 
regulations. 

I n response to the questi ons 
concerning the need for Federal, state, 
or local legal authority to disclose 
education records for auditor 
evaluation purposes, we note that, in 
general, FERPA allows educational 
agencies and institutions to disclose 
(and authorized recipients to redisclose) 
education records without consent in 
accordance with the exceptions listed in 
§ 99.31(a), including for audit or 
evaluation purposes under 
§§ 99.31(a)(3) and 99.35. It does not, 
however, provide the underlying 
authority for individuals and 
organizations to conduct the various 
activities that may allow them to receive 
education records without consent 
under these exceptions. For example, 

§ 99.31(a)(7) does not authorize an 
organization to accredit educational 
institutions; it allows educational 
institutions to disclose personally 
identifiable information from education 



records, without consent, to an 
organization to carry out its accrediting 
functions. If that organization is not, in 
fact, an accreditation authority for that 
particular institution, then disclosure 
under § 99.31(a)(7) is invalid and 
violates FERPA. Likewise, § 99.31(a)(9) 
does not authorize a court or Federal 
grand jury to issue an order or 
subpoena; it allows an educational 
agency or institution to comply with a 
facially valid order or subpoena, 
without consent. 

Weadded the requirement in 
§ 99.35(a)(2) that the recipient have 
authority under Federal, State, or local 
law to conduct the activity for which 
the disclosure was made because there 
was significant confusion in the 
educational community about who may 
receive educati on records without 
consent for audit and evaluation 
purposes under § 99.35. For example, in 
2005 the Pennsylvania Department of 
Education (PDOE) asked the Department 
whether, in the absence of parental 
consent, a charter school LEA 
responsible under State law for 
providi ng a free appropriate publ ic 
education to students with disabilities 
enrolled in the charter school could 
send the local school district of 
residence the IEP of each student with 
a disability. The school districts of 
residence clai med that they needed this 
i nformati on to su bstanti ate the charter 
school's invoices for higher payments 
based on the student's special education 
status under the IDEA. 

Our January 2006 response to PDOE 
expl ai ned that i n order to meet the 
requi rements for disclosure of education 
records under §§ 99.31(a)(3) and 99.35, 
Federal, State, or local law (including 
valid administrative regulations) must 
authorize the relevant State or local 
educational authority to conduct the 
audit, evaluation, or compliance or 
enforcement activity in question. In 
particular, we noted that charter schools 
in Pennsylvania could disclose the IEP 
cover sheet under §§ 99.31(a)(3) and 
99.35 of the regulations if the State law 
in question authorized a local school 
district to "audit or evaluate” a charter 
school 's request for payment of State 
funds at the special education rate and 
the school district needed personally 
identifiable information for that 
purpose, and that we would defer to the 
State Attorney General 's i nterpretati on 
of State law on the matter. We also 
expl ai ned that there appeared to be no 
legal authority that would allow charter 
school s i n the State to d i scl ose a 
student's entire IEP to the resident 
school district, as requested by the 
resident school districts. 



The Department has always 
interpreted §§ 99.31(a)(3) and 99.35 to 
allow educational agencies and 
institutions to disclose personally 
identifiable information from education 
records to the SEA or State higher 
education board or commission 
responsible for their supervision based 
on the understandi ng that those entities 
are authorized to auditor evaluate (or 
enforce Federal legal requirements 
related to) the education programs 
provided by the agencies and 
institutions whose records are 
disclosed. Under this reasoning, a K-12 
school district (LEA) may disclose 
personally identifiable information from 
education records to another LEA, or to 
a State higher education board or 
commission, without consent, if that 
LEA, board, or commission has legal 
authority to conduct the audit, 
evaluation, or compliance or 
enforcement activity with regard to the 
disclosing district's programs. States do 
not have to house their K-12 or P-12 
and postsecondary systems within the 
same agency i n order to take advantage 
of this provision. However, they may 
need to review and modify the 
supervisory and oversight 
responsi bi I ities of various State and 
local educational authorities to ensure 
that there is valid legal authority for 
LEAs, postsecondary institutions, SEAs, 
and higher education authorities to 
disclose or redisclose personally 
identifiable information from education 
records to one another under § 99.35(a) 
before i nformati on is released. 

It is not our intention in § 99.35(a)(2) 
to require educational agencies and 
institutions and other parties to identify 
specific statutory authority before they 
disclose or redisclose education records 
for auditor evaluation purposes but to 
ensure that some local, State, or Federal 
legal authority exists for the audit or 
evaluation, including for examplean 
Executive Order or administrative 
regulation. The Department encourages 
State and local educational authorities 
and educational agencies and 
institutions to seek guidance from their 
State attorney general on their legal 
authority to conduct a particular audit 
or evaluation. The Department may also 
provide additional guidance, as 
appropriate. 

Changes: None. 

(b) Recordation Requirements 

Comment: In the NPRM, 73 FR 15587, 
we invited public comment on whether 
an SEA, the Department, or other 
official or agency listed in § 99.31(a)(3) 
should be all owed to maintain the 
record of the redisclosures it makes on 
behalf of an educational agency or 
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institution asa means of relieving any 
administrative burdens associated with 
record i n g d i sc I osu res of ed u cati on 
records. Onecommenter urged the 
Department not to del egate 
responsi bi I ity for recordkeepi ng to State 
and local educational authorities and 
Federal agencies and officials that 
redisclose education records under 
§ 99.33(b). Another said that if a State or 
local educational authority or Federal 
agency or official rediscloses 
information "on behalf of' an 
educational agency or institution under 
§ 99.35(b), these further disclosures 
should be included in the student's 
record at the educational agency or 
institution. All other comments on this 
issue supported revisi ng the regulations 
to allow State and local educational 
authorities and Federal officials and 
agencies listed in § 99.31(a)(3) to record 
any redisclosures they make under 
§ 99.33(b). 

Several commenters suggested that 
the recordation requirements in 
§ 99.32(b) would place an undue burden 
on State and local officials when State 
educational authorities redisclose 
education records because the State 
authority would need to return to each 
original source of the records to record 
the redisclosure. Some commenters 
noted thatcompliancewith § 99.32(b) is 
practically impossible if an LEA or 
postsecondary institution is required to 
record all authorized redisclosures at 
the time of the initial disclosure of 
information to the State or Federal 
authority. Two commenters suggested 
that we el i mi nate the recordation 
problem by redefining the term 
disclosure so that it does not include 
disclosing information under 
§ 99.31(a)(3) for audit, evaluation, or 
compliance and enforcement purposes. 
Another commenter suggested that we 
define "educational agency or 
institution" to include State educational 
authori ti es so that d i scl osu res to State 
educational authorities would not be 
considered a disclosure under FERPA. 

Onecommenter said that the 
regulations should permit State 
educational authorities to record 
red i scl osu res as they are made and 
without having to identify each student 
by name. Another commenter asked for 
clarification whether the recordation 
requirements apply to redisclosures that 
SEAs make to education researchers and 
other parties that are not authorized to 
make any further disclosures, and what 
level of detail is required in the record 
regardi ng who accessed the data and 
what specific information was viewed. 

One commenter stated that if State 
educational authorities and Federal 
officials are authorized to record their 



own redisclosures of information, then 
the educational agency or institution 
should be required to retrieve these 
records i n response to a request to 
review education records by parents and 
el i gi bl e stu d ents w h o wou I d oth erw i se 
not know about the redisclosures. Other 
commenters suggested that the State 
educational authority or Federal official 
could either make the redisclosure 
record avail able directly to parents and 
students or send it to the LEA or 
postsecondary institution for this 
purpose. 

Discussion: We agree with 
commenters that i n order to faci I itate 
the operati on of State data systems and 
ease administrative burdens on all 
parties, the regulations should allow 
State educational authorities and 
Federal officials and agencies to record 
further disclosures they makeon behalf 
of educational agencies and institutions 
under § 99.33(b). We are revising the 
provisions of § 99.32 to address 
commenters' concerns and ensure that 
these changes will not expand the 
redisclosure authority of a State or local 
educational authority or Federal official 
or agency under § 99.35(b) and that 
parents and students will have notice of 
and access to any State or Federal 
record of further disclosures that is 
created. 

I n response to the commenter's 
suggestion that we define "educational 
agency or institution" and the term 
disclosure to address recordation issues 
associated with the new redisclosure 
authority i n § 99.35(b), we note that an 
educational agency or institution is 
required by statute to maintain with 
each student's education records a 
record of each request for access to and 
each disclosure of personally 
identifiable information from the 
education records of the student, 
including the parties who have 
requested or received information and 
their legitimate i nterests i n the 
information. 20 U.S.C. 1232g(b)(4)(A); 

34 CFR 99.32(a). This includes each 
disclosure of personally identifiable 
information from education records that 
an educational agency or institution 
makes to an SEA or other State 
educational authority and to Federal 
official sand agencies, including the 
Department, for audit, evaluation, or 
compliance and enforcement purposes 
under §§ 99.31(a)(3) and 99.35, and 
under most other FERPA exceptions, 
such as the financial aid exception in 
§ 99.31(a)(4). (Regulatory exceptions to 
the statutory recordation requirements, 
which are set forth in § 99.32(d), cover 
disci osu res that a parent or el igi ble 
student would general I y know about 
without the recordation or for which 



notice is prohibited under court order; 
the exceptions do not include 
disclosures made to parties outside the 
agency or institution for audit, 
evaluation, or compliance and 
enforcement purposes.) 

An educational agency or institution 
is required under FERPA to record its 
disclosures of personally identifiable 
information from education records 
even when it discloses information to 
another educational agency or 
institution, such as occurs under 
§ 99.31(a)(2) when a school district 
transfers education records to a 
student's new school . See 20 U .S.C. 
1232g(b)(4)(A); 34 CFR 99.32(a). 
Therefore, even if a State educational 
authority were considered an 
"educational agency or institution" 
under § 99.1, a school district or 
postsecondary institution would still be 
required to record its own disci osu res to 
that State educational authority; 
defininga State educational authority as 
an educational agency or institution 
would not eliminate this requirement. 
Therefore, a school district or 
postsecondary institution is required to 
record its disclosures to any State 
educational authority. 

The term disclosure is defined in 
§ 99.3 to mean to permit access to or the 
release, transfer, or other 
communication of personally 
identifiable information contained in 
education records to any party, by any 
means, including oral, written, or 
electronic means. This includes 
rel easi ng or maki ng a student's 
education records avail able to school 
officials within the agency or 
institution, for which an exception to 
the consent requirement exists under 
§ 99.31(a)(1). We see no legal basis for 
redefining the term disclosure to 
excl ude the rel ease of personal ly 
identifiable information to third parties 
outside the educational agency or 
institution under the audit, evaluation, 
or compliance and enforcement 
exception to the consent requirement i n 
§§ 99.31(a)(3) and 99.35. 

With regard to the level of detai I 
required in the record of redisclosures, 
current § 99.32(b) requires an 
educational agency or institution to 
record the "names of the additional 
parties to which the receiving party may 
disc lose the information" on its behalf 
and their legiti mate i nterests under 
§ 99.31. This means the name of the 
individual (if an organization is not 
involved) or the organization and the 
exception under § 99.31(a) that would 
allow the redisc I osu re to be made 
without consent. Under current 
§ 99.33(a)(2), the officers, employees, 
and agents of a party that receives 
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information from education records may 
use the information for the purposes for 
which the disclosure was made without 
violating the limitations on redisclosure 
in § 99.33(a)(1). Therefore, we interpret 
the recordation requirement in 
§ 99.32(b) to mean that an educational 
agency or institution may record the 
name of an organization, includinga 
research organization, to which a 
recipient may make further disclosures 
under § 99.33(b) and is not required to 
record the name of each individual 
within the organization who is 
authorized to use that information in 
accordance with § 99.33(a)(2). 

We also recognize that sometimes an 
educational agency or institution does 
not know at the time of its disclosure of 
education records that the receiving 
party may wish to make further 
disclosures on its behalf. Therefore, we 
interpret § 99.32(b) to allow a receiving 
party to ask an educational agency or 
institution to record further disclosures 
made on its behalf after the initial 
receipt of the records or information. 

These same pol icies apply to further 
disclosures made by State and local 
educational authorities and Federal 
officials listed in § 99.31(a)(3) that 
redisclose information on behalf of 
educational agencies and institutions 
under the new authority in § 99.35(b). 
Educational agencies and institutions 
that disclose education records under 
§ 99.31(a)(3) with the understanding 
that the State or Federal authority or 
official may make further disclosures 
may continue to record those further 
disclosures as provided in § 99.32(b)(1). 
Like any other recipient of education 
records, a State or Federal authority or 
official may also ask an educational 
agency or institution to record further 
disclosures made on its behalf after the 
initial recei pt of the records or 
information. It is incumbent upon a 
State or Federal authority or official that 
makes further disclosures on behalf of 
an educational agency or institution 
under § 99.33(b) to determine whether 
the educational agency or institution 
has recorded those further disclosures. 

If the educational agency or institution 
does not do so, then under the revisions 
to § 99.32(b)(2)(i) in the final 
regulations, the State and local 
educational authority or Federal official 
or agency that makes further disclosures 
must maintai n the record of those 
disclosures. 

We have also revised § 99.32(a) to 
ensure that educational agencies and 
institutions maintain a listing in each 
student's record of the State and local 
educational authorities and Federal 
official sand agencies that may make 
further disclosures of the student's 



education records without consent 
under § 99.33(b). This will help ensure 
that parents and students know that the 
record of disclosures maintained by an 
educational agency or institution as 
required under § 99.32(a) may not 
contain all further disclosures made on 
behalf of the agency or institution by a 
State or Federal authority or official and 
alert parents and students to the need to 
ask for access to th i s add i ti onal 
information. We have also revised 
§ 99.32(a) to require an educational 
agency or i nstituti on to obtai n a copy of 
the record of further disclosures 
maintained at the State or Federal level 
and make it avail able for parents and 
students to inspect and review upon 
request. 

In response to commenters' 
suggestions, the regulations in new 
§ 99.32(b)(2)(ii) allow a State or local 
educational authority or Federal official 
or agency to identify the redisclosure by 
the student's cl ass, school, district, or 
other appropriate grouping rather than 
by the name of each student whose 
record was redisclosed. For example, an 
SEA may record that it disclosed to the 
State higher education authority the 
scores of each student in grades nine 
through 12 on the State mathematics 
assessment for a particular year. We 
believethatthisprocedureeases 
administrati ve burdens while ensuring 
that a parent or student may access 
information about the redisclosure. 

We note that the recordation 
requirements under § 6401(c)(i)(IV) of 
the America COM PETES Act, Public 
Law 110-69, 20 U.S.C. 9871(c)(i)(IV), 
are more detai I ed and stri ngent than 
those required under FERPA. In 
parti cu I ar, a State that recei ves a grant 
to establish a statewide P-16 education 
data system under § 6401(c)(2), 20 
U.S.C. 9871(c)(2), is required to keep an 
accurate accounti ng of the date, nature, 
and purpose of each disclosure of 
personally identifiable information in 
the statewide P-16 education data 
system; a description of the information 
disclosed; and the name and address of 
the person, agency, institution, or entity 
to whom the disclosure is made. The 
State must also make this accounting 
avai I abl e on request to parents of any 
student whose information has been 
disclosed. The Department will issue 
further guidance on these requirements 
if the program is funded and 
implemented. 

Changes: We have made several 
changes to § 99.32, as fol lows: 

• New § 99.32(b)(2)(i) provides that a 
State or local educational authority or 
Federal official or agency listed in 
§ 99.31(a)(3) that makes further 
disclosures of information from 



education records must record the 
names of the additional parties to which 
it discloses information on behalf of an 
educational agency or institution and 
their legiti mate i nterests under § 99.31 
in the information if the information 
was received from an educational 
agency or institution that has not 
recorded the further disclosures itself or 
from another State or local official or 
Federal official or agency listed in 
§ 99.31(a)(3). 

• New § 99.32(b)(2)(H) provides that a 
State or local educational authority or 
Federal official or agency that records 
further disclosures of information may 
mai ntai n the record by the student's 
class, school, district or other 
appropriate grouping rather than by the 
name of the student. 

• New § 99.32(b)(2)(iii) provides that 
upon request of an educational agency 
or institution, a State or local 
educational authority or Federal official 
or agency that mai ntai ns a record of 
further disclosures must provide a copy 
of the record of further disc I osu res to 
the educational agency or institution 
within a reasonable period of time not 
to exceed 30 days. 

• Revised § 99.32(a)(1) requires 
educational agencies and institutions to 
list in each student's record of 
disclosures the names of the State and 
local educational authorities and 
Federal officials or agencies that may 
make f u rth er d i sc I osu res of th e 
information on behalf of the educational 
agency or institution under § 99.33(b). 

• New § 99.32(a)(4) requires an 
educational agency or institution to 
obtain a copy of the record of further 
disclosures maintained by a State or 
local educational authority or Federal 
official or agency and make it avai I able 
in response to a parent's or student's 
request to review the student's record of 
disclosures. 

Educational Research (§§ 99.31(a)(6) 
and 99.31(a)(3)) 

Comment: We received a number of 
comments on proposed § 99.31(a)(6)(H). 
In this section, we proposed that an 
educational agency or institution that 
discloses personally identifiable 
information without consent to an 
organization conducting studies for, or 
on behalf of, the educational agency or 
institution must enter into a written 
agreement with the organization 
specifying the purposes of the study and 
containing certain other elements. This 
exception to the consent requirement is 
often referred to as the "studies 
exception." While all of the comments 
on this provision generally supported 
the changes, many of the commenters 
raised concerns about the scope and 





Federal Register/ Vol. 73, No. 237/Tuesday, December 9, 2008/ Rules and Regulations 74825 



appl icabi I ity of the studies exception 
and requested clarification on some of 
the proposed changes, particularly with 
regard to the provisions relati ng to 
written agreements. 

Discussion: We address commenters' 
specific concerns about the key portions 
of these regulations in thefollowing 
sections. 

Changes: None. 

(a) Scope and Applicability of 
§ 99.31(a)(6) 

Comment: Several commenters stated 
that the proposed regulations did not 
clearly indicate that the studies 
exception applies to State educational 
authorities. Some commenters, 
assumi ng that § 99.31(a)(6) applied to 
State educational authorities, noted that 
the proposed regulations did not 
provide clear authority for State 
educational authorities such as an SEA, 
or a State longitudinal data system using 
State generated data (such as State 
assessment results), to enter into 
research agreements on behalf of 
educational agencies and institutions. 
One commenter stated that § 99.31(a)(6) 
should not be i nterpreted to require that 
research agreements be entered i nto by 
individual schools or that any resulting 
redisclosures be recorded by the 
individual schools. 

One commenter asked for clarification 
regardi ng whether § 99.31(a)(6) 
permitted a school to disclose a 
student's education records to his or her 
previous school for the purpose of 
evaluating Federal or State-supported 
education programs or for improving 
instruction. 

Another commenter stated that the 
Department should further revise the 
regulations to provide that only 
individuals in the organization 
conducting the study who have a 
legitimate interest in the i nformati on 
d i sc I osed be gi ven access to the 
information. The commenter also stated 
th at th e Department shouldspecifically 
limit § 99.31(a)(6) to bona fide research 
projects by prohibiting organizations 
conducting studies under this exception 
from using record-level data for other 
operational or commercial purposes. 

The commenter also expressed concern 
about the duration of research projects, 
noti ng that si gn i fi cantl y more restri cti ve 
access should be required for studies 
that track personally identifiable 
information for long periods of time. 

The commenter stated further that the 
Department should consider imposing a 
time limit on how long information 
obtained through longitudinal studies 
can be retained. 

Discussion: FERPA permits an 
educational agency or institution to 



disclose personally identifiable 
information from an education record of 
a student without consent if the 
disclosure is to an organization 
conducting studies for, or on behalf of, 
the educational agency or institution to 
(a) develop, validate, or administer 
predictive tests: (b) administer student 
aid programs: or (c) improve instruction. 
20U.S.C. 1232g(b)(l)(F); 34CFR 
99.31(a)(6). Disclosures made under the 
studies exception may only be used by 
the receiving party for the purposes for 
which the disclosure was made and for 
no other purpose or study. As such, 

§ 99.31(a)(6) is not a general research 
exception to the consent requirement in 
FERPA but an exception for studies 
limited to the purposes specified in the 
statute and regulations. 

We first note that it may not be 
necessary or even advantageous for 
State educational authorities to use the 
studies exception in order to conduct or 
authorize educational research because 
of the limitations in § 99.31(a)(6). In 
contrast, § 99.31(a)(3)(iv), under the 
conditions set forth in § 99.35, allows 
educational agencies and institutions, 
such as LEAs and postsecondary 
institutions, to disclose education 
records without consent to State 
educational authorities for auditand 
evaluation purposes, which can include 
a general range of research studies 
beyond the more I i mi ted group of 
studies specified under § 99.31(a)(6). 
Also, as explained more fully elsewhere 
in this preamble, while a State 
educational authority must have the 
underlying legal authority to audit or 
eval uate the records i t recei ves from 
LEAs or postsecondary institutions 
under § 99.35, the LEA or postsecondary 
institution is not required to enter into 
a written agreement for the audit or 
evaluation as it is required to do under 
§ 99.31(a)(6). (See Redisclosure of 
Education Records and Recordkeeping 
byStateand Local Educational 
Authorities and Federal Officials and 
Agencies.) The absence of an 
explanation of the authorized 
representatives exception (§ 99.31(a)(3)) 
in the NPRM created confusion, 
especially with regard to how State 
departments of education may utilize 
educati on records for eval uati on 
purposes. Therefore, we have included 
that explanation here. 

The conditions for disclosing 
education records without consent 
under §§ 99.31(a)(3)(iv) and 99.35 are 
discussed in the Department's 
Memorandum from the Deputy 
Secretary of Education (January 30, 

2003) avail able at http://www.ed.gov/ 
policy/gen/guid/secletter/030130.html. 
The Deputy Secretary's memorandum 



explains that under this exception an 
"authorized representative” of a State 
educational authority is a party under 
the direct control of that authority, e.g., 
an employee or a contractor. 

In general, the Department has 
interpreted FERPA and implementing 
regu I ati on s to permi t th e d i sc I osu re of 
personally identifiable information from 
education records, without consent, in 
connection with the outsourcing of 
institutional services and functions. 
Accordingly, the term "authorized 
representative" in § 99.31(a)(3) includes 
contractors, consultants, volunteers, and 
other outside parties (i.e., non- 
employees) used to conduct an audit, 
evaluation, or compliance or 
enforcement activities specified in 
§ 99.35, or other institutional services or 
functions for which the official or 
agency would otherwise use its own 
employees. For example, a State 
educational authority may disclose 
personally identifiable information from 
education records, without consent, to 
an outside attorney retained to provide 
legal services or an outside computer 
consultant hired to develop and manage 
a data system for education records. 

The term "authorized representative” 
also includes an outside researcher 
worki ng as a contractor of a State 
educational authority or other official 
listed in § 99.31(a)(3) that has 
outsourced the eval uati on of Federal or 
State supported education programs. An 
outside researcher may conduct 
independent research under this 
provision in the sense that the 
researcher may propose or initiate 
research projects for consideration and 
approval by the State educational 
authority or other official listed in 
§ 99.31(a)(3) either before or after the 
parties have negotiated a research 
agreement. Likewise, the State 
educational authority or official does 
not have to agree with or endorse the 
researcher's results or conclusions. In so 
doing, an outside researcher retained to 
eval uate education programs by a State 
educational authority or other official 
listed in § 99.31(a)(3) as an "authorized 
representative” may be given access to 
personally identifiable information from 
education records, including statistical 
information with unmodified small data 
cells. Flowever, the term "authorized 
representative" does not include 
independent researchers that are not 
contractors or other parties under the 
direct control of an official or agency 
listed in § 99.31(a)(3). 

While an educational agency or 
institution may not disclose personally 
identifiable information from students' 
education records to independent 
researchers, nothing in FERPA prohibits 
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them from disclosing information that 
has been properly de-identified. Further 
discussion of this issue is provided in 
the foil owing paragraphs and under the 
section entitled Personally Identifiable 
Information and De-ldentified Records 
and Information. 

An SEA or other State educational 
authority that has legal authority to 
enter into agreements for LEAs or 
postsecondary institutions under its 
jurisdiction may enter into an agreement 
with an organization conducting a study 
for the LEA or institution under the 
studies exception. If the SEA or other 
State educational authority does not 
have the legal authority to act for or on 
behalf of an LEA or institution, then it 
would not be permitted to enter i nto an 
agreement with the organization 
conducting the study under this 
exception. As previously mentioned, 
FERPA authorizes certain disclosures 
without consent; it does not provide an 
SEA or other State educational authority 
with the legal authority to act for or on 
behalf of an LEA or postsecondary 
institution. 

With regard to the request for 
clarification whether § 99.31(a)(6) 
permits a school to disclose a student's 
education records to his or her previous 
school for evaluation purposes, the 
studies exception only allows 
disclosures to organizations conducting 
studies for, or on behalf of, the 
educational agency or institution that 
discloses its records. The "for, or on 
behalf of" language from the statute 
does not permit disclosures under this 
exception so that the receiving 
organization can conduct a study for 
itself or some other party. This issue is 
discussed in more detail under the 
secti on of th i s preambl e enti tl ed 
Disclosure of Education Records to 
Student's Former Schools. 

We agree with the comment that the 
regulations should be revised to provide 
that only those individuals in the 
organization conducti ng the study that 
have a legitimate interest in the 
personally identifiable information from 
education records can have access to the 
records. The Secretary also shares the 
commenter's concerns about limiting 
§ 99.31(a)(6) to bona fide research 
projects, prohibiting commercial 
utilization of education records, and 
limiting the duration of research 
projects. We address these issues i n 
greater detai I i n the fol I ow i ng secti on 
concerning written agreements. 

Changes: None. 

(b) Written Agreements for Studies 

Comment: Several commenters 
expressed concern that § 99.31(a)(6) not 
be read so broadly as to erode parents' 



and students' privacy rights, and, 
therefore, supported the restrictions that 
the Secretary included in this provision. 
Specifically, they supported the new 
requirement that educational agencies 
and institutions must enter into a 
written agreement with the organization 
conducti ng the study that specifies: the 
purpose of the study, that the 
information from the education records 
di scl osed be used on I y for the stated 
purpose, that individuals outside the 
organization may not have access to 
personally identifiable information 
about the students being studied, and 
that the information be destroyed or 
returned when it is no longer needed for 
the purpose of the study. 

Several commenters sai d that the 
Department should clarify that the 
existence of a written agreement is not 
a rationale in and of itself for the 
disclosure of education records. They 
stated that the regulations should 
provide explicitly that a written 
agreement does not modify the 
protections under FERPA or justify the 
use of the records transferred other than 
as permitted by the statute and the 
regulations. Some of these commenters 
stated that the written agreement should 
include a description of the specific 
records to be disclosed for the study. 

Several commenters agreed with the 
provision in the proposed regulations 
that specified that an educational 
agency or institution does not need to 
agree with or endorse the conclusions or 
results of the study. Other commenters 
asked that we include in the regulations 
the explanation provided in the 
preambleto the NPRM that the school 
also does not need to initiate the study. 

One commenter suggested that we 
change the references from "study" to 
"studies" so that it is clear that an 
agency or institution and a research 
organization could enter into one 
agreement that would cover a variety of 
studies that support the State's or school 
district's educational objectives. One 
commenter suggested that the 
Department certify agreements between 
educational agencies and research 
organizations as meeting the 
requirements of FERPA. 

There were several comments on the 
destruction of i nformati on requirements 
in FERPA. Some suggested that we 
include in the regulations the specific 
time period by which information 
disclosed to a researcher must be 
destroyed, whi le others stated that 
ongoing access to data is necessary and 
that researchers should be permitted to 
retain information indefinitely. Some 
commenters suggested that the requi red 
time period for the destruction or return 
of education records, as deemed 



necessary by the parties to support the 
purposes of the authorized study or 
studies, be establ i shed in thewritten 
agreement. 

One commenter approved including 
the requi rements regard i ng the use and 
destruction of data in thewritten 
agreement as a way of i mprovi ng 
compliance with FERPA. However, the 
commenter questioned our explanation 
that the I anguage i n the statute 
providing that the study must be 
conducted "for, or on behalf of" the 
educational agency or institution means 
that the disclosing school must retain 
control over the information once it has 
been given to a third party conducting 
a study. The commenter bel ieved that 
school districts will not be involved in 
how a study is performed and that the 
written agreement with the organization 
sped fy i ng the organ i zati on 's obi i gati ons 
with regard to the use and destruction 
of data shou I d be suffi ci ent. 

Discussion: The Secretary shares the 
concerns raised by commenters that 
§ 99.31(a)(6) not be read so broadly as to 
erode parents' and students' privacy 
rights. Accordingly, we have revised 
§ 99.31(a)(6) to address some of these 
concerns and bel i eve that these changes 
will provide adequate protection of 
students' education records that may be 
disclosed under the studies exception. 

In the NPRM, we proposed to remove 
current§ 99.31(a)(6)(ii)(A) and (B) and 
included these requirements under the 
provisions for written agreements. 

These paragraphs provide that the study 
must be conducted in a manner that 
does not permit personal identification 
of parents and students by individuals 
other than representatives of the 
organization and that the information be 
destroyed when no longer needed for 
the purposes for which the study was 
conducted. Weare including 
§ 99.31(a)(6)(ii)(A) and (B) in thefinal 
regulations. After reviewing comments 
on the proposed changes, we concluded 
that, by moving these two provisions 
into the new paragraph relating to 
written agreements, we would have 
weakened the statutory requirements 
concerning the studies exception. We 
believe this correction will alleviate 
commenters' concerns about weakening 
parents' and students' privacy rights 
under FERPA. 

We agree with the comments that the 
existence of a written agreement is not 
a rationale in and of itself for the 
disclosure of education records. Asa 
privacy statute, FERPA requires that 
parents and eligible students provide 
written consent before educational 
agencies and institutions disclose 
personally identifiable information from 
students' education records. There are 
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several statutory exceptions to FERPA's 
general consent rule, one of which is 
§ 99.31(a)(6), an exception that permits 
disclosure of records for studies limited 
to the purposes specified in the statute 
and regulations. However, a written 
agreement, a memorandum of 
understanding, or a contract is not a 
justification for disclosure of education 
records. Rather, a disclosure must meet 
the requirements in § 99.31(a)(6) or the 
other permitted disclosures under 
§99.31. If a disclosure meets the 
conditions of § 99.31(a)(6), the 
disclosure may be made, and the written 
agreement sets forth the requi rements 
that must be foil owed when entering 
into such an agreement. 

As noted in our earlier discussion of 
the scope and applicability of the 
studies exception, the Secretary concurs 
that the regulations should be revised to 
requi re that a written agreement 
expressly include the purpose, scope, 
and duration of the agreed upon study, 
as well as the information to be 
disclosed. We also agree with 
commenters that the regulations should 
specifically limit any disclosures of 
personally identifiable information from 
students' education records to those 
individuals in the organization 
conducti ng the study that have a 
legitimate interest in the information. 
This requirement is consistent with 
§ 99.32(a)(3)(ii), which requires that an 
educational agency or institution record 
the "legiti mate i nterests” the parties had 
in obtaining information under FERPA. 

The Secretary strongly recommends 
that schools carefully limitthe 
disclosure of students' personally 
identifiable i nformation under this and 
the other exceptions in § 99.31 and 
reminds educational agencies and 
institutions that disclosures without 
consent are subject to § 99.33(a)(2), 
which states: "The officers, employees, 
and agents of a party that receives 
information under paragraph (a)(1) of 
this section may use the information, 
but only for the purposes for which the 
disclosure was made." The recordation 
requirements in §99.32 also apply to 
any disclosures of personally 
identifiable i nformation made under the 
studies exception. (We note that a 
school does not have to record the 
disclosure of information that has been 
properly de-identified.) 

Although FERPA permits schools to 
disclose personally identifiable 
information under § 99.31(a)(6) to 
organizationsconducting studies for or 
on its behalf, the Secretary recommends 
that educational agencies and 
institutions release de-identified 
information whenever possible under 
this exception. Even when schools opt 



not to release de-identified information 
in these circumstances, we recommend 
that schools reduce the risk of 
unauthorized disclosure by removing 
direct identifiers, such as names and 
SSNs, from records that don't require 
them, even though these records may 
still contain some personally 
identifiable information. This is 
especially important when a school also 
discloses sensitive information about 
students, such as type of disability and 
special education services received by 
the students. 

We agree with commenters that 
§ 99.31(a)(6) should be revised to 
indicate that an educational agency or 
institution is not required to initiate a 
study. Additionally, we have revised 
§ 99.31(a)(6) to include the word 
"studies" so that an educational agency 
or institution may utilize one written 
agreement for more than one study, so 
long as the requirements concerning 
information that must be in the 
agreement are met. 

While we do not have the authority 
under FERPA to officially certify 
agreements between educational 
agencies and institutions and 
organizations conducting studies, FPCO 
does provide technical assistance to 
educational agencies or institutions on 
FERPA. As such, if school officials have 
questions about whether an agreement 
meets the requirements in § 99.31(a)(6), 
they may contact FPCO for assistance. 

With regard to the comments that we 
include in the regulations a specific 
time period by which information 
provided under the studies exception 
must be destroyed, we bel ieve that the 
parti es enteri ng i nto the agreement 
should decide when information has to 
be destroyed or returned to the 
educational agency or institution. As we 
have discussed, we have revised 
§ 99.31(a)(6) to require that the written 
agreement include the duration of the 
study and the time period during which 
the organization must either destroy or 
return the information to the 
educational agency or institution. 

With regard to the comment that a 
written agreement with the organization 
conducting the study should be 
suffi ci ent for an educational agency or 
institution to retain control over 
information from education records 
once the information is given to an 
organization conducting a study, we 
agree that a written agreement required 
under the regulations will help ensure 
that the information is used only to 
meet the purposes of the study stated i n 
the written agreement and that al I 
appl i cabl e requ i rements are met. 
However, similar to the requirement 
that an outside service provider serving 



as a school official is subject to FERPA's 
restrictions on the use and redisclosure 
of personally identifiable information 
from education records, educational 
agencies and institutions must ensure 
that organizations with which they have 
entered i nto an agreement to conduct a 
study also comply with FERPA's 
restrictions on the use of personally 
identifiable information from education 
records. (See pages 15578-15580 of the 
NPRM .) That is, the school must retain 
control over the organization's access to 
and use of personally identifiable 
information from education records for 
purposes of the study or studies, 
including access by the organization's 
own employees and subcontractors, as 
well as any school officials whom the 
organ i zati on permi ts to have access to 
education records. 

An educational agency or institution 
may need to determi ne that the 
organization conducting the study has 
reasonable controls in place to ensure 
that personally identifiable information 
from education records is protected. We 
note that it is common practice for some 
data shari ng agreements to have a 
"controls section" that specifies 
required controls and how they will be 
verified (e.g., surprise inspections). We 
recommend that the agreement requi red 
by § 99.31(a)(6) include a section that 
sets forth si mi I ar requ i rements. I f a 
school is unable to verify that these 
controls are in place, then it should not 
disclose personally identifiable 
information from education records to 
an organization for the purpose of 
conducting a study. 

In this regard, it should be noted that 
educational agencies and institutions 
are responsible for any failures by an 
organization conducting a study to 
comply with appl icable FERPA 
requi rements. FERPA states that if a 
third party outside the educational 
agency or institution fai Is to destroy 
information in violation of 20 U.S.C. 
1232g(b)(l)(F), the studies exception in 
FERPA, the educational agency or 
institution shall be prohibited from 
permitting access to information from 
education records to that third party for 
a period of not less than five years. See 
20 U.S.C. 1232g(b)(4)(B). 

Changes: We have revised 
§ 99.31(a)(6) to: (1) Retain 
§ 99.31(a)(6)(ii)(A) and (B); (2) amend 
§ 99.31(a)(6)(ii)(A) to provide that the 
study must be conducted in a manner 
that does not permit personal 
identification of parents or students by 
anyone other than representati ves of the 
organization that have legitimate 
i nterest i n the i nformati on; (3) amend 
§ 99.31(a)(6)(ii)(C) to requ ire that the 
written agreement specify the purpose, 
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scope, and duration of the study and the 
information to be disclosed; require the 
organization to use personally 
identifiable information from education 
records only to meet the purpose or 
purposes of the study as stated i n the 
written agreement; limit any disclosures 
of information to individuals in the 
organization conducting the study who 
havea legitimate interest in the 
information; and require the 
organization to destroy or return to the 
educational agency all personally 
identifiable information when the 
information is no longer needed for the 
purposes of the study and specify the 
time period during which the 
organization must either destroy or 
return the information to the 
educational agency or institution; and 
(4) amend § 99.31(a)(6) in new 
paragraph (iii) to provide that an 
educational agency or institution is not 
required to initiatea study. 

Disclosure of Education Records to 
Non-Educational State Agencies 

Comment: Several commenters stated 
that the proposed amendments did not 
specifi cal ly address whether an 
educational agency or institution is 
permitted to disclose education records 
to non-educational State agencies, such 
as State health or labor agencies, as part 
of an agreement with those agencies, 
without first obtaining consent. One 
commenter said that because the 
Department has taken the position that 
education records may be shared with 
State auditors who are not educational 
officials and who are not, by definition, 
under the control of a State educational 
authority, there is no legal basis to 
prohi bit the disclosure of education 
records to other non-educational State 
and local agencies. 

Some officials representing State 
health agencies commented that FERPA 
should be more closely aligned with the 
disclosure provisions of the HIPAA 
Privacy Rule. One commenter noted that 
there was a critical need for publ ic 
health researchers to be able to access, 
without consent, personally identifiable 
information contained in student health 
records to al I ow for analyses, public 
health studies, and research that will 
benefit school-aged children, as well as 
the general population. One 
organization representing school nurses 
noted that public health officials need 
access to education records for the 
purposes of public health reporting, 
surveillance, and reimbursement. 

Several commenters recommended 
that SEAs be authorized to share data 
from education records with State social 
services, health, juvenile, and 
employment agencies, to serve the 



needs of students, including special 
needs, low-income, and at-risk students. 
One SEA commented that it did not 
support extending access to student data 
to non-education State agencies, except 
to State auditors, as specified in 
proposed § 99.35(a)(3). This commenter 
asserted that access to and use of 
information from students' education 
records should be control led by a 
limited number of education officials 
who are sensitive to the intent of FERPA 
and well acquainted with its safeguards. 

Discussion: There is no specific 
exception to the written consent 
requirement in FERPA that permits the 
disclosure of personally identifiable 
information from students' education 
records to non-educational State 
agencies. Educational agencies and 
institutions may disclose personally 
identifiable information for audit or 
evaluation purposes under 
§§ 99.31(a)(3) and 99.35 only to 
authorized representatives of the 
officials or agencies listed in 
§ 99.31(a)(3)(i) through (iv). Typically, 
LEA sand their constituent schools 
disclose education records to State 
educational authorities under 
§ 99.31(a)(3)(iv), such as the SEA, for 
audit, evaluation, or compliance and 
enforcement purposes. 

There are some exceptions that might 
authorize disclosures to non- 
educational State agencies for specified 
purposes. For example, disclosures may 
be made in a health or safety emergency 
(§§ 99.31(a)(10) and 99.36), in 
connection with financial aid 
(§ 99.31(a)(4)), or pursuant to a State 
statu te u n d er th e j u ven i I e j u sti ce system 
exception (§§ 99.31(a)(5) and 99.38), and 
any disclosures must meet the specific 
requirements of the particular 
exception. FERPA, however, does not 
contai n any specific exceptions to 
permi t d i scl osu res of personal I y 
identifiable information without 
consent for public health or 
employment reporting purposes. That 
said, nothing in FERPA prohibits an 
educational agency or institution from 
importing information from another 
source to perform its own evaluations. 

We believe that any further expansion 
of the I i st of offi ci al s and enti ti es i n 
FERPA that may receive education 
records without the consent of the 
parent or eligi ble student must be 
authorized by legislation enacted by 
Congress. 

We explained in the NPRM on page 
15577 that, with respect to State 
aud i tors, I egi si ati ve h i story for the 1979 
FERPA amendment indicates that 
Congress specifically intended that 
FERPA not preclude State auditors from 
obtaining personally identifiable 



information from education records in 
order to audit Federal and State 
supported education programs, 
notwith standi ng that the statutory 
language i n the amendment refers only 
to "State and local educational 
officials." See 20 U.S.C. 1232g(b)(5); 

H.R. Rep. No. 338, 96th Cong., 1st Sess. 
at 10 (1979), reprinted in 1979 U.S. 

Code Cong. &Admin. News 819, 824. 
This legislative history provides a basis 
for drawing a distinction between State 
auditors and officials of other State 
agencies that also are not under the 
control of the State educational 
authority. (Asexplained more fully 
under State auditors, upon further 
review, we have removed from the final 
regulations the proposed regulations 
related to State auditors and audits.) 

The 1979 amendment to FERPA does 
not apply to other State officials or 
agencies, and there is no other 
legislative history to indicate that 
Congress i ntended that FERPA be 
interpreted to permit educational 
agencies and institutions, or State and 
local educational authorities or Federal 
officials and agencies listed in 
§ 99.31(a)(3), to share students' 
education records with non-educational 
State officials. In fact, Congress has, on 
numerous occasions, indicated 
otherwise. 

As discussed elsewhere in this 
preamble under the heading Health or 
Safety Emergency, the HIPAA Privacy 
Rule specifically excludes from 
coverage health care information that is 
maintained as an "education record" 
under FERPA. 45 CFR 160.103, 

Protected health information. We 
understand that the HIPAA Privacy Rule 
al I ows covered entities to disclose 
identifiable health data without written 
consent to public health authorities. 
However, there is no comparable 
exception to the written consent 
requirement in FERPA. 

As mentioned previously, in 
conducting an audit, evaluation, or 
compl i ance or enforcement acti vi ty , an 
educational authority may collaborate 
with other State agencies by importing 
data from those sources and conducti ng 
necessary matches. Any reports or other 
information created as a result of the 
data matches may only be released to 
those non-educational officials in non- 
personal I y identifiable form. 

Educational authorities may also release 
information on students to non- 
educational officials that has been 
properly de-identified, as described in 
§ 99.31(b)(1). 

Additionally, many agencies 
providing services to low income or at- 
risk families have parents sign a consent 
form authorizing disclosure of 
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information at intake time so that the 
agency can receive necessary 
information from schools. In 1993, we 
amended theFERPA regulations to help 
facilitate this practice. In final 
regulations published in the Federal 
Register on January 7, 1993 (58 FR 
3188), we removed the previous 
requirement in the regulations that 
schools "obtain'' consent from parents 
and eligible students so that parents and 
eligi ble students may "provide" a 
signed and dated consent to third 
parties in order for the school to 
disclose education records to those 
parties. 

Therefore, parents can provide 
consent at i ntake ti me to State and local 
social services and other non- 
educational agencies serving the needs 
of students in order to permit their 
children's schools (or the SEA) to 
disclose education records to the 
agency. For example, parents routinely 
provide consent to the Medicaid agency 
that permits that agency to col lect 
information from other agencies on the 
family being served. In many cases 
those consents are written in a manner 
that complies with the consent 
requirement in § 99.30, and the 
student's school may disclose 
information to the Medicaid agency 
necessary for reimbursement purposes 
for services provided the student. 

Changes: None. 

Disclosure of Education Records to 
Students Former Schools 
(§§ 99.31(a)(3), 99.31(a)(6), and 
99.35(b)) 

Comment: Onecommenter asked for 
clarification whether a school could 
disclose a student's education records to 
the student's previous school for the 
purpose of evaluating Federal or State 
supported education programs or for 
improving instruction. Several 
commenters said that there is a critical 
need for school districts to beableto 
access the records of thei r former 
students from the student's new district 
or postsecondary institution so that the 
previous institution can evaluate the 
effectiveness of its own education 
programs. Some commenters said that 
§ 99.35(a) clearly allows a K- 12 data 
system to use postsecondary records to 
evaluate its own programs, and that a 
K-12 system does not need to have legal 
authority to evaluate postsecondary 
programs for the d i sc I osure to be val i d 
under the audit or evaluation exception. 

Discussion: Section 99.31(a)(2) allows 
an educational agency or institution to 
disclose personally identifiable 
information from education records, 
without consent, to a school where the 
student seeks or intends to enrol I or is 



al ready en rol I ed i f the d i scl osu re rel ates 
to the student's enrol Iment or transfer. 
There is no specific authority in FERPA 
for an educational agency or institution, 
or a State or local educational authority, 
to d i scl ose or red i scl ose personal I y 
identifiable information from education 
records to a student's former school 
without consent. 

As discussed above, §§ 99.31(a)(3) and 
99.35 allow educational agencies and 
institutions to disclose personally 
identifiable information from education 
records without consent to State and 
local educational authorities that are 
legally authorized to auditor evaluate 
the disclosing institution's programs or 
records. We encourage State and local 
authorities to take advantage of this 
exception and establish or modify State 
or local legal authority, as necessary, to 
allow K-12 and postsecondary 
educational authorities to audit or 
evaluate one another's programs. As 
noted above, the Department will 
general I y defer to a State Attorney 
General 's i nterpretati on of State or I ocal 
law on these matters. 

Section 99.31(a)(6) allows an 
educational agency or institution to 
disclose personally identifiable 
information from education records 
without consent to an organization 
conducti ng a study for, or on behalf of, 
the agency or institution that discloses 
its records. The "for, or on behalf of" 
language from the statute and 
regulations, however, does notallow the 
educational agency or institution to 
disclose personally identifiable 
information from education records 
under this exception so that the 
receiving organization can conduct a 
study for itself or some other party. 
Further, the Secretary does not as a 
policy matter support expanding the 
studies exception to permit such a 
disclosure because it would result in a 
vast i ncrease i n the number of parties 
gaining access to and maintaining 
personally identifiable information on 
students. As discussed below, 
educational agencies and institution and 
other parties, including State 
educational authorities, may always 
release information from education 
records to a student's former school, 
without consent, if all personally 
identifiable information has been 
removed. 

Personally Identifiable Information and 
De-ldentified Records and Information 
(§§ 99.3 and 99.31(b)) 

(a) Definition of Personally Identifiable 
Information 

Comment: We received a number of 
comments on proposed § 99.3 regarding 



changes to the definition of personally 
identifiable information. One 
commenter applauded the Department's 
recognition of the i ncreasi ng ease of 
identifying individuals from redacted 
records and statistical information 
because of the large amount of detai led 
personal information that is maintained 
on most Americans by many different 
organizations. This commenter and 
others, however, stated that the 
proposed regulations did not go far 
enough to ensure that personal ly 
identifiable i nformation about students 
would not be released. 

One commenter expressed concern 
about our proposal to eliminate 
paragraphs (e) and (f) from the existing 
definition of personally identifiable 
information, which included a list of 
personal characteristics and other 
information that would make a student's 
identity easily traceable. The 
commenter said that this was a change 
to long-standing Department policy and 
represented an unwarranted invasion of 
privacy that exceeds statutory authority. 
This commenter also expressed concern 
that el i mi nati ng the "easi I y traceabl e" 
provi si ons for determi ni ng w hether 
information was personally identifiable 
could prevent parents from accessing 
their children's education records and 
might allow school officials to 
circumvent FERPA requirements by 
using nicknames, initials, and other 
personal characteristics to refer to 
children. 

I n contrast, several commenters stated 
that the regulations would be 
unworkable or were too restrictive and 
would prevent or discourage the release 
of information from education records 
needed for school accountability and 
other public purposes. These 
commenters stated that paragraphs (f) 
and (g) in the proposed definition of 
personally identifiable information, 
which replaces the "easily traceable" 
provisions, would provide school 
officials too much discretion to conceal 
information the public deserves to have 
in order to debate public policy. 
Proposed paragraph (f) provided that 
personally identifiable information 
includes other information that, alone or 
in combination, is linked or linkableto 
a specific student that would allow a 
reasonable person in the school or its 
community, who does not have personal 
knowledge of the rel evant 
circumstances, to identify the student 
with reasonable certainty. Proposed 
paragraph (g) provided that personally 
identifiable information includes 
information requested by a person who 
the educational agency or institution 
reasonably believes hasdirect, personal 
knowledge of the identity of the student 
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to whom the education record relates, 
someti mes known as a "targeted 
request." 

Several commenters expressed 
support for the provisions in paragraphs 
(f) and (g) of the definition of personally 
identifiable information. One of these 
commenters said that the "school and 
community" limitation and the 
"reasonable person" standard in 
paragraph (f) is sufficiently clear for 
implementation by parties that release 
de-identified records. Another 
commenter said that ambiguity in the 
terms "reasonable person" and 
"reasonable certainty” was necessary so 
that organizations can develop their 
own standards for addressing the 
problem of ensuring that information 
that is released is not personally 
identifiable. This commenter asked the 
Department to retai n the fl exi bi I i ty in 
the proposed language and provide 
examples of policies that have been 
implemented that meet the 
requirements in paragraphs (f) and (g) of 
the definition. The commenter said that 
most school districts know when they 
are recei vi ng a targeted request 
(paragraph (g)) but asked that the 
Department provide examples to help 
districts determine whether a non- 
targeted request will reveal personally 
identifiable information. 

Journalism and writers' associations 
expressed concern about the 
"reasonable person" standard in 
paragraph (f) and our statement in the 
preamble to the NPRM (73 FR 15583) 
that an educational agency or institution 
may not be abl e to rel ease redacted 
education records that concern students 
or incidents that are well-known in the 
school community, including when the 
parent or student who is the subject of 
the record contacts the media and 
causes the publ icity that prevents the 
rel ease of the record. These commenters 
stated that FERPA should not prevent 
school s from rel easi ng records from 
which all direct and indirect identifiers, 
such as name, date of bi rth, address, 
unusual place of birth, mother's maiden 
name, and sibling information, have 
been removed without regard to any 
outside information, particularly after a 
student or parent has waived any 
pretense of confidential ity by contacting 
the media. They also said that the 
proposed definition of personally 
identifiable information does not 
acknowledge the public interest in 
school accountability. 

One commenter said that the 
"reasonable person in the school or its 
community" standard in paragraph (f) 
was too narrow and inappropriate 
because it would allow individuals with 
even modest scientific and 



technological abilities to identify 
students based on supposedly de- 
identified information. Another 
commenter said that the reference i n 
paragraph (f) to a "reasonable person" 
should be changed to "ordinary 
person." A commenter said that if we 
retai n the "reasonable person" standard, 
we should remove the references to the 
school or its community and personal 
knowledge of the ci rcumstances and 
simply refer to a reasonable person. 
Several commenters said the "school or 
its community" standard is too vague 
and needs to be clarified, particularly in 
relation to the provision in paragraph (g) 
regarding targeted requests; these 
commenters said that school officials 
will choose to eval uate a request for 
information based on whether a 
reasonable person in the community, a 
broader standard than a reasonable 
person in the school, could identify the 
student and automatically find their 
own decisions to be reasonabl e. One 
commenter said that the phrase 
"relevant circumstances" in paragraph 

(f) is vague. 

One commenter said that the standard 
in paragraph (f) about whether the 
information requested is "linked or 
linkable" to a specific student was too 
vague and overly broad and could be 
logically extended to cover almost any 
information about a student. This 
commenter said that the regulations 
should focus on preventing the release 
of records that in and of themselves 
contain unique personal descriptors that 
would make the student identifiable in 
the school community and not refer to 
outside information, including what 
members of the public might know 
i ndependentl y of the records 
themselves. 

Several commenters expressed 
concerns that the provision in paragraph 

(g) regarding targeted requests will make 
FERPA and the regulations 
administratively unwieldy and 
unnecessarily subjective. One of these 
commenters said that paragraph (g) is 
unclear and adds more confusion as 
opposed to providing clarity; this 
commenter said that paragraph (g) 
should be removed and that the 
requirements in paragraph (f) were 
sufficient. Another commenter said that 
the standard in paragraph (g) unfairly 
holds agencies and institutions 
responsible for ascertaining the 
requester's personal knowledge. One 
commenter said that we should delete 
the words "direct, personal" before 

“ kn ow I ed ge" becau se th ese terms are 
unclear. According to this commenter, if 
a school reasonabl y bel i eves that the 
requester knows the student's identity, 
the school should not disclose the 



records, whether the knowledge is 
"direct" or “personal." 

Other commenters expressed a more 
general concern that the standard for 
targeted requests in paragraph (g) places 
an undue burden on school officials to 
obtain information about the person 
requesting information and creates a 
potential conflict with State open 
records laws. According to these 
commenters, the regulations as 
proposed would encourage agencies and 
institutions to make illegitimate 
inquiries into a requester's motives for 
seeking information and what the 
requester intends to do with it, or 
require the agency or institution to read 
the mi nd of a party requesti ng 
information. According to the 
commenter, this would introducea 
d egree of su bj ecti ve j u d gmen t th at 
would invariably lead to abuse because 
the same record that could be 
considered a public record to one 
requester could be a confidential 
document to another. A large university 
that has decentralized administrative 
operations questioned how it could be 
expected to take institutional knowledge 
into account in evaluating whether a 
request for records is targeted and asked 
for confi rmation that the Department 
wi 1 1 not substitute its judgment for that 
of the institution so long as there was a 
rational basis for the decision to release 
information. 

We received a few comments on the 
example of a targeted request that we 
provided in the preambleto the NPRM 
(73 FR 15583-15584), in which rumors 
circulate that a candidate running for 
political office plagiarized other 
students' work, and a reporter asks the 
universityforthe red acted di sc iplinary 
records of al I students who were 
disciplined for plagiarism for the year in 
which the candidate graduated. We 
explained that the university may not 
rel ease the records in redacted form 
because the ci rcumstances i ndi cate that 
the requester had direct, personal 
kn ow I ed ge of th e su bj ect of th e case. 
Two commenters said that confirmation 
that one unnamed student was 
disciplined in 1978 for plagiarism does 
not identify that student or confi rm that 
the candidate was that student, and our 
explanation of the standard with this 
example showed that the regulations 
would prevent parents and the media 
from discharging their vital oversight 
responsi bilities. 

One school district said that the 
targeted request provision could impair 
due process in some student discipline 
cases by I i mi ti ng the rel ease of redacted 
witness statements that concern more 
than one student. The commenter 
suggested that under its current 





Federal Register/ Vol. 73, No. 237/Tuesday, December 9, 2008/ Rules and Regulations 74831 



practice, if four students are involved in 
an altercation, the school redacts all 
personally identifiable information with 
regard to students 2 through 4 when 
rel easi ng the statement without parental 
consent to student 1, but under the 
proposed regulations, student l's 
request would viol ate the requirements 
in paragraph (g) because of the student's 
knowledge of the identity of the other 
students to whom the record relates. 
This commenter said that the 
regulations should not be adopted if 
they do not address these due process 
concerns. 

Several commenters said they 
appreciated the addition of a student's 
date of birth and other indirect 
identifiers in the definition of 
personally identifiable information. 
Another commenter said that a 
comprehensive list of indirect 
identifiers would be helpful. One 
commenter asked us to defi ne the 
concept of indirect identifiers. Another 
commenter asked us to clarify which 
personally identifiable data elements 
may be released without consent. A 
commenter asked us to defi ne the term 
biometric record as used in the 
definition of personally identifiable 
information. 

Discussion: Thejoint Statement 
explains that the purpose of FERPA is 
two-fold: to assure that parents and 
eligible students can access the 
student's education records, and to 
protect their right to privacy by limiting 
the transferabi I ity of thei r education 
records without thei r consent. 120 Cong. 
Rec. 39862. As such, FERPA is not an 
open records statute or part of an open 
records system. The only parties who 
have a ri ght to obtai n access to 
education records under FERPA are 
parents and eligible students. 

Journalists, researchers, and other 
members of the publ ic have no right 
under FERPA to gain access to 
education records for school 
accountabi I ity or other matters of publ ic 
interest, including misconduct by those 
running for public office. Nonetheless, 
as explained in the preamble to the 
NPRM, 73 FR 15584-15585, we believe 
that the regulatory standard for defining 
and removing personally identifiable 
information from education records 
establishes an appropriate balance that 
faci I itates school accountabi I ity and 
educational research while preserving 
the statutory privacy protections in 
FERPA. 

The simple removal of nominal or 
direct identifiers, such as name and SSN 
(or other ID number), does not 
necessari I y avoi d the rel ease of 
personally identifiable information. 
Other information, such as address, date 



and place of birth, race, ethnicity, 
gender, physical description, disability, 
activities and accomplishments, 
disciplinary actions, and so forth, can 
indirectly identify someone depending 
on the combi nation of factors and level 
of detail released. Similarly, and as 
noted in the preambleto the NPRM, 73 
FR 15584, the existing professional 
I iterature makes cl ear that publ i c 
di rectories and previously released 
information, including local publicity 
and even information that has been de- 
identified, is sometimes linked or 
linkableto an otherwise de- identified 
record or data set and renders the 
information personally identifiable. The 
regulations properly require parties that 
release information from education 
records to address these situations. 

We removed the "easily traceable" 
standard from the definition of 
personally identifiable information 
because it lacked specificity and clarity. 
We were also concerned that the "easi ly 
traceable" standard suggested that a 
fairly low standard applied in protecting 
education records, i.e., that information 
was considered personally identifiable 
only if it was easy to identify the 
student. 

The removal of the "easily traceable" 
standard and adoption of the standards 
in paragraphs (f) and (g) will not affect 
a parent's right under FERPA to inspect 
and review his or her chi Id's education 
records. Records that teachers and other 
school officials maintain on students 
that use only initials, nicknames, or 
personal descriptions to identify the 
student are education records under 
FERPA because they are directly related 
to the student. 

Further, records that identify a 
student by initials, nicknames, or 
personal characteristics are personally 
identifiable information if, alone or 
combined with other information, the 
initials are linked or linkableto a 
specific student and would allow a 
reasonable person in the school 
community who does not have personal 
knowledge about the situation to 
identify the student with reasonable 
certainty. For example, if teachers and 
other individuals in the school 
community generally would not be able 
to identify a specific student based on 
the student's initials, nickname, or 
personal characteristics contained in the 
record, then the information is not 
considered personally identifiable and 
may be released without consent. 
Experience has shown, however, that 
initials, nicknames, and personal 
characteri sti cs are often suff i ci entl y 
unique in a school community that a 
reasonable person can identify the 
student from this kind of i nformati on 



even without access to any personal 
knowledge, such as a key that 
specifically links the initials, nickname, 
or personal characteri sties to the 
student. 

In contrast, if a teacher uses a special 
code known only by the teacher and the 
student (or parent) to identify a student, 
such as for posti ng grades, this code is 
not considered personally identifiable 
information under FERPA because the 
only reason the teacher can identify the 
student i s because of the teacher's 
access to personal knowledge of the 
relevant circumstances, i.e., the key that 
I i nks the code to the student's name. 

In response to the commenter who 
stated that a school should not be 
prevented from releasing information 
when the subject of the record has 
waived any pretense of confidentiality 
by contacting the media and making the 
incident well-known in the community, 
we have found that in limited 
circumstances a parent or student may 
impliedly waive their privacy rights 
under FERPA by disclosing information 
to parties in a special relationship with 
the institution, such as a licensing or 
accreditation organization. Flowever, we 
have not found and do not bel ieve that 
parents and students generally waive 
their privacy rights under FERPA by 
sharing information with the media or 
other members of the general publ ic. 

The fact that i nformati on i s a matter of 
general public interest does not give an 
educational agency or institution 
permi ssi on to rel ease the same or 
related information from education 
records without consent. 

The "reasonableness" standards in 
paragraphs (f) and (g) of the new 
definition, which replace the "easily 
traceable" standard, do not require the 
exercise of subjecti ve judgment or 
inquiries into a requester's motives. 

Both provisions require the disclosing 
party to use legally recognized, objective 
standards by referring to identification 
not in the mind of the disclosing party 
or requester but by a reasonable person 
and with reasonable certainty, and by 
requiring the disclosing party to 
withhold information when it 
reasonably bel i eves certain facts to be 
present. These are not subjective 
standards, and these changes will not 
diminish the privacy protections in 
FERPA. 

The standard proposed in paragraph 
(f) regarding the knowledge of a 
reasonable person in the school or its 
community was not intended to 
describe the technological or scientific 
skill level of a person who would be 
capable of re-identifying statistical 
information or redacted records. Rather, 
it provided the standard an agency or 
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institution should use to determine 
whether statistical information or a 
redacted record will identify a student, 
even though certain identifiers have 
been removed, because of a well- 
publ i ci zed i nci dent or some other factor 
known in the community. For example, 
as explained in the preamble to the 
NPRM, 73 FR 15583, a school may not 
rel ease stati sti cs on penal ti es i mposed 
on students for cheati ng on a test where 
the local media have published 
identifiable information about the only 
student (or students) who received that 
penalty; that statistical information or 
redacted record is now personally 
identifiable to the student or students 
because of the local publicity. 

Paragraph (f) in the proposed 
definition provided that the agency or 
institution must make a determination 
about whether information is personally 
identifiable information not with regard 
to what someone with personal 
knowledge of the relevant 
circumstances would know, such as the 
principal who imposed the penalty, but 
with regard to what a reasonable person 
in the school or its community would 
know, i.e., based on local publicity, 
communications, and other ordinary 
conditions. We agree with the comment 
that the "school or its community" 
standard was confusing because it was 
not clear whether just the school itself 
or the larger community in which the 
school is located is the relevant group 
for determining what a reasonable 
person would know. 

We are changing this standard in 
paragraph (f) to the "school 
community" and by this change we 
mean that an educational agency or 
institution may not select a broader 
"community" standard when the 
information to be released would be 
personally identifiable under the 
narrower "school" standard. For 
example, it might be well known among 
students, teachers, administrators, 
parents, coaches, volunteers, or others at 
the local high school that a student was 
caught bringing a gun to class last 
month but generally unknown in the 
town where the school is located. In 
these circumstances, a school district 
may not disclose that a high school 
student was suspended for bri ngi ng a 
gun to class last month, even though a 
reasonabl e person in the community 
where the school is located would not 
be able to identify the student, because 
a reasonable person in the high school 
would be able to identify the student. 
The student's privacy is further 
protected because a reasonable person 
in the school community is also 
presumed to have at least the knowledge 
of a reasonable person in the local 



community, the region or State, the 
United States, and theworld in general. 
The "school community" standard, 
therefore, provides the maximum 
privacy protection for students. 

We do not agree that the reference to 
"reasonable person" should be changed 
to "ordinary person." "Reasonable 
person" is a legally recognized standard 
that represents a hypothetical, rational, 
prudent, average individual. Itwould be 
confusing and inappropriate to 
introducea new term "ordinary" in this 
context. 

The standard in paragraph (f) 
excludes from the "reasonable person in 
the school community" standard 
persons who have personal knowledge 
of the "relevant circumstances," which 
onecommenter considered vague. 

Under this standard, an agency or 
institution is not required to take into 
consideration when releasing redacted 
or statistical information that someone 
with special knowledge of the 
circumstances could identify the 
student. For example, if it is generally 
known in the school community that a 
particular student is HIV-positive, or 
that there is an HIV-positive student in 
the school, then the school could not 
reveal that the only HIV-positive 
student in the school was suspended. 
However, if it is not generally known or 
obvious that there is an HIV-positive 
student in school, then the same 
information could be released, even 
though someone with special 
knowledge of the student's status as 
HIV-positive would beableto identify 
the student and I earn that he or she had 
been suspended. 

The provisions in paragraph (g) 
regarding targeted requests do not 
require an educational agency or 
institution to ascertain or guess a 
requester's motives for seeki ng 
information from education records or 
what a requester intends to do with the 
information. This paragraph addresses a 
situation in which a requester seeks 
what might generally qualify as a 
properly redacted record but the facts 
i nd i cate that redacti on i s a usel ess 
formality because the subject's identity 
is already known. 

An educational agency or institution 
is not required under paragraph (g) to 
make any special inquiries or otherwise 
seek information about the person 
requesting information from education 
records. It must use information that is 
obvi ous on the face of the request or 
provided by the requester, such as when 
a requester asks for the redacted 
transcripts of a particular student. 
Paragraph (f) also requires an agency or 
institution to use information known to 
a reasonable person in the school 



community, such as when a requester 
asks for the redacted transcri pts of al I 
basketbal I pi ayers who were expel I ed 
for accepti ng bri bes after the I ocal 
newspaper publ ished a story about the 
matter. Paragraphs (f) and (g) do not 
require an educational agency or 
institution to inquire whether a 
requester has special knowledge not 
avail able generally in the school 
community that would make the subject 
of the record identifiable. We disagree 
with the comment that paragraph (f) is 
sufficient and paragraph (g) should be 
removed. Paragraph (g) addresses the 
problem of targeted requests, which is 
not addressed under paragraph (f). 

We agree with the comment that the 
provision in paragraph (g) under which 
an agency or institution must determine 
whether the information requested is 
personally identifiable information 
based on its reasonable bel ief that the 
requester has "direct, personal" 
knowledge of the identity of the student 
to whom the record relates is ambiguous 
and confusing, especially in relation to 
what might be considered indirect 
knowledge. Therefore, we have 
modified this provision so that an 
educational agency or institution must 
simply have a reasonable belief that the 
requester knows the identity of the 
student to whom the record relates. 

In reviewing a complaint that an 
educational agency or institution 
disclosed personally identifiable 
information from an education record in 
response to a targeted request, the 
Department would examine the request 
itself, the facts on which the agency or 
institution based its decision to release 
the information, as well as any 
information known generally in the 
school community that the agency or 
institution failed to take into account. 
The Department would also counsel an 
agency or institution about the nature of 
the violation in connection with the 
Department's responsi bi I i ty for seeki ng 
voluntary compliance with FERPA 
before initiating any enforcement action 
under § 99.67. 

With regard to the comment that the 
standard in paragraph (g) will impair 
due process in student discipline cases, 
it is unclear what the commenter means 
by releasing redacted witness statements 
under its current practice. Education 
records are defined in FERPA as records 
that are d i recti y rel ated to a student and 
maintained by an educational agency or 
institution, or by a party acti ng for the 
agency or institution. 20 U.S.C. 
1232g(a)(4)(A); 34CFR 99.3. Under this 
definition, a parent (or eligible student) 
has a right to inspect and review any 
witness statement that i s di recti y related 
to the student, even if that statement 
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contains information that is also directly 
related to another student, if the 
information cannot be segregated and 
redacted without destroying its 
meaning. 

For example, parents of both John and 
Michael would have a right to inspect 
and review the foil owing information in 
a witness statement mai ntai ned by thei r 
school district because it is directly 
related to both students: "John grabbed 
Michael's backpack and hit him over the 
head with it." Further, in this example, 
before allowing Michael's parents to 
inspect and review the statement, the 
district must also redact any 
information about John (or any other 
student) that is not directly related to 
Michael, such as: "John also punched 
Steven in the stomach and took his 
gloves." Since Michael's parents likely 
know from their son about other 
students involved in the altercation, 
under paragraph (g) the district could 
not rel ease any part of th i s sentence to 
M i chael 's parents. We note al so that the 
sanction imposed on a student for 
misconduct is not generally considered 
directly related to another student, even 
the student who was injured or 
victimized by the disciplined student's 
conduct, except if a perpetrator has been 
ordered to stay away from a vi cti m. 

In order to provide maximum 
flexibility to educational agencies and 
institutions, wedid not attempt to 
define or list all other "indirect 
identifiers". We believe that the 
examples listed in paragraph (3) of the 
definition of personally identifiable 
information— date of birth, place of 
birth, and mother's maiden name— 
indicate clearly the kind of information 
that could identify a student. Race and 
ethnicity, for example, could also be 
indirect identifiers. It is not possible, 
however, to I i st al I the possi bl e i nd i rect 
identifiers and ways in which 
information might indirectly identify a 
student. Further, uni ike the FIIPAA 
Privacy Rule, these regulations do not 
attempt to provide a "safe harbor” by 
listing all the information that may be 
removed i n order to sati sfy the de- 
identification requirements in 
§ 99.31(b). We have also added a 
definition of biometric record that is 
based on National Security Presidential 
Directive 59 and Flomeland Security 
Presidential Directive 24. 

Changes: We added a definition of 
biometric record, which provides that 
the term means a record of one or more 
measurable biological or behavioral 
characteristics that can be used for 
automated recognition of an individual. 
Examples include fingerprints, retina 
and iris patterns, voiceprints, DNA 



sequence, facial characteristics, and 
handwriting. 

We also have revised paragraph (f) in 
the definition of personally identifiable 
information to change the reference 
"school or its community" to "school 
community." In paragraph (g) of the 
definition of personally identifiable 
information, we removed the 
requi rement that the requester have 
"direct, personal knowledge." As 
revised, paragraph (g) provides that 
personally identifiable information 
means information requested by a 
person who the educational agency or 
institution reasonably believes knows 
the identity of the student to whom the 
record relates. 

(b) De-ldentified Records and 
Information 

Comment: We received a number of 
comments on § 99.31(b)(1), which 
would allow an educational agency or 
institution, or a party that has received 
personally identifiable information from 
education records, to rel ease the records 
or information without parental consent 
after the removal of all personally 
identifiable information, provided that 
the educational agency or institution or 
other party has made a reasonable 
determination that a student's identity 
is not personally identifiable because of 
unique patterns of information about the 
student, whether through single or 
multiple releases, and taking into 
account other reasonably avai I able 
information. In order to permit ongoing 
educational research with the same 
data, § 99.31(b)(2) allows an educational 
agency or institution or other party that 
releases de-identified, non-aggregated 
data (also known as “microdata") from 
education records to attach a code to 
each record, which may allow the 
recipient to match information received 
from the same source, under three 
conditions— (1) the educational agency 
or institution does not disclose any 
information about how it generates and 
assigns a record code, or that would 
allow a recipient to identify a student 
based on a record code; (2) the record 
code is used for no purpose other than 
identifying a de-identified record for 
purposes of education research and 
cannot be used to ascertai n personal I y 
identifiable information about a student; 
and (3) the record code is not based on 
a student's social security number or 
other personal information. 

Several commenters supported these 
proposed regulations and said that they 
will help facilitate valuable educational 
research. One of these commenters said 
that the provisions for de-identification 
of education records create clear 
standards that will allow researchers to 



conduct necessary research without 
compromising student privacy. One 
commenter appreciated bei ng able to 
attach a code or I i nki ng key to records 
to faci I itate matchi ng students across 
data sets whi le preservi ng student 
confidentiality. 

One commenter stated that de- 
identified data do not support 
appropriate analytical research that will 
lead to improved educational outcomes. 
Further, according to this commenter, 
complete de-identification of 
systematic, longitudinal data on every 
student may not be possible. 

Two commenters expressed concern 
that agencies and institutions redact too 
much information from education 
records and said that the Department 
should err on the side of disclosure of 
disaggregated data so thatjournalists 
and researchers can obtain accurate 
information about how students in 
every accountabi I ity subgroup are 
performing. These commenters said that 
the regulations should take into account 
the real track record of journalists and 
researchers in maintaining the 
confidentiality of information from 
education records. 

One commenter said that many 
institutions and individuals have the 
ability to re-identify seemingly de- 
identified data and that it isgenerally 
much easi er to do than most peopl e 
real ize because 87 percent of A meri cans 
can be identified uniquely from their 
date of birth, five-digit zip code, and 
gender. This commenter said that the 
regulations need to take into account 
that re-identification is a much greater 
risk for student data than other kinds of 
information because FERPA allows for 
the regular publication of student 
directories that contain a wealth of 
personal information, including address 
and date of bi rth, that can be used with 
existi ng tools and emergi ng technology 
to re-identify statistical data, even by 
non-experts. 

Another commenter said that because 
the de-identification process is so 
resource-intensive, the regulations 
should allow the research entity to de- 
identify education records as a 
contractor under § 99.31(a)(1) of the 
regulations. 

We explained in the preamble to the 
NPRM (73 FR 15585) that educational 
agencies and institutions should 
monitor rel eases of coded, de-identified 
microdata from education records to 
ensure that overlapping or successive 
rel eases do not resu 1 1 i n data sets i n 
which a student's personally 
identifiable i nformation is disclosed. 
One commenter said that this 
monitoring requirement was too 
burdensome given the vast number of 
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data requests it receives and asked us to 
limit the monitoring requirement to 
single or multiple releases it makes to 
the same party. A n SEA asked 
specifically for clarification in the 
regulations regarding what steps, if any, 
it must take to ensure that multiple 
releases of de-identified data to the 
same requester over ti me that the 
requester i ntends to use for a 
longitudinal study do not result in small 
data cel I s that may reveal the i denti ty of 
the student. A school district said that 
the regulations should require the 
destruction of de-identified information 
from education records by the receiving 
party to avoid the problem of combining 
successive data releases to identify 
students. 

Some commenters said that the 
regulations should provide objective 
standards for the de-identification of 
education records. Onecommenter 
asked the Department to prescribe a 
method for States to adopt to ensure that 
student confidentiality is protected. 

Two commenters asked sped f i cal I y for 
guidance on what minimum cell size 
should be allowed when releasing 
statistical information. Several 
commenters said that SEAs and school 
districts need specific guidance 
regard i ng the rel ease of student 
achievement data under the NCLB, 
including, in particular, reporting 100 
percent achievement of certai n 
performance levels on State 
assessments. One commenter who 
opposed restrictions on the release of 
de-identified data referred to instances 
in which some States have created 
minimum cell sizes of 100 for reporting 
disaggregated data under NCLB, which 
prevents the release of a great deal of 
important information. Another 
commenter said that our discussion of 
small cell sizes in the preamble to the 
NPRM, 73 FR 15584, reflected a 
misunderstanding of the problem. 

Onecommenter said that § 99.31(b) is 
confusing because it is not clear how 
paragraph (b)(2), which is limited to 
educational research, relates to 
paragraph (b)(1), which is not so 
limited. This commenter also said that 
the regulations impose an unnecessary 
burden on the entity receivi ng a request 
for information and that the 
requi rements of paragraph (f) in the 
definition of personally identifiable 
information are sufficient to de-i denti fy 
education records. Another commenter 
said that the language in § 99.31(b)(1) 
that requi res consideration of unique 
patterns of i nformati on about a student 
is confusing and creates ambiguity 
because the definition of personally 
identifiable information itself 
incorporates standards for de- 



i denti fi cati on that appear to d i ffer from 
the standard in § 99.31(b). 

Discussion: As explained in the 
preambletotheNPRM, 73 FR 15584- 
15585, we believe that the regulatory 
standard for de-identifying information 
from education records establishes an 
appropri ate bal ance that faci I i tates the 
rel ease of appropri ate i nformati on for 
school accountability and educational 
research purposes while preserving the 
statutory privacy protections in FERPA. 
Unlike the HIPAA Privacy Rule, these 
regulations do not attempt to provide a 
"safe harbor" by listing all the direct 
and indirect identifiers that may be 
removed to satisfy the de-identification 
requirements in § 99.31(b). Rather, they 
are intended to provide standards under 
which information from education 
records may be released without 
consent because al I personal I y 
identifiable information has been 
removed. 

The Department recognizes that de- 
identified data may not be appropriate 
for all educational research purposes 
and that complete de-identification of 
longitudi nal student data may not be 
possible without sacrificing essential 
content and usability. In these 
situations, and as discussed elsewhere 
in this preamble, FERPA allows the 
disclosure and redisclosure of 
personally identifiable information from 
education records, without consent, to 
researchers under the terms and 
conditions specified in §§ 99.31(a)(1), 
99.31(a)(3), and 99.31(6). We note that a 
researcher who receives personal ly 
identifiable information under these 
provisions would, however, have to de- 
i denti fy any report or other information 
in accordance with § 99.31(b) before 
releasing it to the public or other 
parties, including other researchers. 

In response to comments that 
educational agencies and institutions 
may remove too much information from 
education records, we note that while 
we have attempted to provide a 
bal anced standard for the rel ease of de- 
identified data for school accountability 
and other purposes, FERPA is a privacy 
statute, and no party has a right under 
FERPA to obtain information from 
education records except parents and 
eligible students. Further, there is no 
statutory authority in FERPA to modify 
the prohibition on disclosure of 
personally identifiable information from 
education records, or the exceptions to 
the written consent requirement, based 
on the track record of the party, 
including journalists and researchers, in 
maintaining the confidentiality of 
information from education records that 
they have received. 



I n response to the comment about 
allowing a researcher to de-i denti fy 
education records, educational agencies 
and institutions may outsource the de- 
identification process to any outside 
service provider serving as a school 
official in accordance with the 
requirements in § 99.31(a)(l)(i)(B). 
(Those requi rements are discussed in 
detail in the preamble to the NPRM at 
73 FR 15578-15580 and elsewhere in 
these final regulations.) State and local 
educational authorities and Federal 
officials and agencies listed in 
§ 99.31(a)(3) may outsource the de- 
identification process to their 
authorized representatives under the 
conditions specified in §99.35. 

We agree that the risk of re- 
identification may be greater for student 
data than other information because of 
the regular publication of student 
directories, commercial databases, and 
de-identified but detailed educational 
reports by States and researchers that 
can be manipulated with increasing ease 
by computer technology. As noted in 
the preamble to the NPRM, 73 FR 
15584, the re-identification risk of any 
given release is cumulative, i.e., directly 
related to what has previously been 
released, and this includes both 
publ i cl y-avai I abl e d i rectory 
information, which is personally 
identifiable, and de-identified data 
releases. For that reason, we advised in 
the NPRM that parties should minimize 
information released in directories to 
the extent possi bl e because, si nee the 
enactment of FERPA in 1974, the risk of 
re-identification from such information 
has grown as a result of new 
technologies and methods. 

I n response to comments about the 
need to monitor releases of coded, de- 
identified microdata to avoid re- 
identification of the data, because the 
risk of re-identification is cumulative, 
when making a new disclosure of coded 
data an educational agency or 
institution or other party must take into 
account al I releases of information from 
education records it has made, not just 
releases it has made to the recipient of 
new data. We note that some of the 
publicly avail able directory information 
and de-identified data rel eases that need 
to be taken i nto account have been 
produced by the same agency or 
institution, State or local educational 
authority, or Federal official that wishes 
to release newly de-identified 
information. In general, FERPA poses no 
restrictions on the red pient's use of 
directory information and de-identified 
data from education records. Therefore, 
it may be unclear whether previous data 
rel eases are avai I abl e general I y, have 
been shared with a limited number of 
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parties, or not shared at all. Further, 
unlike personally identifiable 
information that is disclosed under 
§§ 99.31(a)(3) and (a)(6), de-identified 
information from education records 
does not have to be destroyed when no 
longer needed for the purposes for 
which it was released. We note, 
however, that a releasing party would 
reduce its monitoring responsi bilities if 
it requires destruction or prohibits 
redisclosure of coded, de-identified 
microdata, because coded, de-identified 
microdata has a higher risk of re- 
identification than de-identified 
microdata. In the future the Department 
will provide further information on how 
to monitor and limit disclosure of 
personally identifiable information in 
successi ve stati sti cal data rel eases. 

In response to requests for guidance 
on what specific steps and methods 
should be used to de-identify 
information (and as noted in the 
preambleto the NPRM, 73 FR 15584), it 
is not possible to prescribe or identify 
a single method to minimize the risk of 
disclosing personally identifiable 
information in redacted records or 
statistical information that will apply in 
every circumstance, including 
determining whether defini ng a 
minimum cell size is an appropriate 
means to protect the confidentiality of 
aggregated data and, if so, selection of 
an appropriate number. This is because 
determining whether a particular set of 
methods for de-identifying data and 
limiting disclosure risk is adequate 
cannot be made without examining the 
underlying data sets, other data that 
have been released, publicly available 
directories, and other data that are 
linked or linkableto the information in 
question. For these reasons, we are 
unableto provide examples of rules and 
policies that necessarily meet the de- 
identification requirements in 
§ 99.31(b). The releasi ng party is 
responsi blefor conducting its own 
analysis and identifying the best 
methods to protect the confidential ity of 
information from education records it 
chooses to release. We recommend that 
State educational authorities, 
educational agencies and institutions, 
and other parties refer to the examples 
and methods described in the NPRM at 
page 15584 and refer to the Federal 
Committee on Statistical Methodology's 
Statistical Policy Working Paper 22, 
www.fcsm.gov/working-papers/ 
wp22.html, for additional guidance. 

With regard to issues with NCLB 
reporting in particular, determining the 
minimum cell size to ensure stati sti cal 
reliability of information is a completely 
different analysis than that used to 
determi ne the appropri ate mi ni mum 



cell size to ensure confidential ity. 
Further, as noted in the preceding 
paragraph and in the preambleto the 
NPRM, use of minimum cell sizes or 
data suppression is only one of several 
ways in which information from 
education records may be de-identified 
before rel ease. Stati sti cal Pol i cy 
Worki ng Paper 22 descri bes other 
disclosure limitation methods, such as 
"top coding" and "data swapping," 
which may be moresuitablethan simple 
data suppression for releasi ng the 
maximum amount of information to the 
public without breaching confidentiality 
requirements. Decisions regarding 
whether to use data suppression or 
some other method or combination of 
methods to avoid disclosing personally 
identifiable information in statistical 
information must be made on a case-by- 
case basis. 

We agree with the commenter who 
said that the example we provided in 
the preambleto the NPRM regarding the 
small cell problem in reporting that two 
FI i span ic females failed to graduate was 
misleading and offer the following, 
more complete explanation. Simply 
knowing that one out of 100 FH ispanic 
females fai led to graduate does not 
identify which of the Flispanic females 
it might be. But suppose this female is 
an English language learner who is also 
enrolled in special education classes. 
The school also publishes tables on 
participation in special education 
classes by race, ethnicity, and grade, 
and tables that include the graduation 
status of FI i span i c femal es d i saggregated 
in one table by English language 
proficiency status, and by participation 
in special education classes in another. 
Sup pose th at th ese th ree tabu I ati on s 
each show separatel y that there is one 
12th grade Flispanic female enrol led in 
special education classes, that the one 
Flispanic female who did not graduate 
was enrolled in special education 
classes, and that the one Flispanic 
female who did not graduate was an 
English language learner. With this 
i nformati on, the d i seem i ng observer 
knows that the one Flispanic female 
who failed to graduate is an English 
language learner and that she was the 
only 12th grade Flispanic student 
enrolled in special education classes. 
Any number of people in the school 
would be able to identify the Flispanic 
female who did not graduate with these 
three pieces of information. 

Expanding the example to two 
individuals, the logic issimilar, except 
in this case each of the Flispanic females 
knows her own characteristics and can 
find herself in each of the avail able 
tables, and thus by a process of 
el i m i n ati on i d enti f i es th e characteri sti cs 



of the other non-graduate, perhaps 
learning something she did not already 
know about the other student. The 
published tables show that there are two 
12th grade FI ispanic females enrol led in 
special education classes, one with a 
learning disability and one with mental 
retardation. The tables also show that 
the two Flispanic females who did not 
graduate were enrolled in special 
education classes, and that the two 
Flispanic females who did not graduate 
were both English language learners. 
Others in the school community may be 
able to identify the two 12th grade 
Flispanic females who are English 
language learners enrol led in special 
education classes, but not necessari ly be 
ableto distinguish the student with the 
learning disabil ity from the student with 
mental retardation. Flowever, each girl 
knows her own disability and by the 
process of elimination now knows the 
other girl's disabil ity. Similarly, anyone 
with knowledge of one of the two 
Flispanic females who did not graduate 
can find that girl in the tables, and then 
i sol ate the characteri sti cs that bel ong to 
the other Flispanic female. 

This exampl e can be expanded to an 
example with three Flispanic females 
who fail to graduate. All three of the 
Flispanic females who did not graduate 
are English language learners, and two 
Flispanic females who did not graduate 
are enrolled in special education 
classes— one with a learningdisability 
and the other with mental retardation. 

In this case, the one Flispanic female 
who is an English language learner and 
did not graduate now knows that the 
other two Flispanic females in her 
English language learner classes and 
also did not graduate are in the special 
education program, but she does not 
know which condition each girl has. By 
the same logic, each of the two females 
who did not graduate and are in special 
education classes knows her own 
disability and as a result knows the 
disability of the other Flispanic female 
who was an English language learner 
enrolled in special education classes 
who did not graduate. These are some 
examples of situations in which small 
cell data reveals personally identifiable 
information from education records. 

The Secretary has no statutory 
authority to modify the regulations to 
allow LEAsand SEAs to report that 100 
percent of students achieved specified 
performance levels. In that regard we 
note that the Department's Non- 
Regulatory Guidance for NCLB Report 
Cards (2003) provides: 

[S]chools must also ensure that the data 
they report do not reveal personally 
identifiable information about individual 
students* * *. States must adopt a strategy 
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for dealing with asituation in which all 
students in a particular subgroup scored at 
the same achievement level. One solution, 
referred to as "masking” thedata, isto use 
the notation of >95% when all students in a 
subgroup score at the same achievement 
I evel . 

See www.ed . gov/ p rogra ms/ti tl ei pa rta / 
reportcardsguidance.doc on page 3. 
Likewise, LEAsand SEAs must adopt a 
strategy for ensuring that they do not 
disclose personally identifiable 
information about low-performing 
students when they release information 
about their high-performing students. 

I n response to the comments that 
paragraphs (1) and (2) in § 99.31(b) are 
confusing, paragraph (1) establishes a 
standard for de-identi tying education 
records that applies to disclosures made 
to any party for any purpose, including, 
for example, parents and other members 
of the general public who are i nterested 
in school accountability issues, as well 
as education policy makers and 
researchers. The release of de-identified 
information from education records 
under § 99.31(b)(1) is not limited to 
education research purposes because, by 
definition, the information does not 
contain any personally identifiable 
information. 

Paragraph (2) of § 99.31(b) applies 
only to parties conducting education 
research; it allows an educational 
agency or institution, or a party that has 
received education records, such as a 
State educational authority, to attach a 
code to each record that may al low the 
researcher to match microdata received 
from the same educational source under 
the conditions specified. The purpose of 
paragraph (2) isto facilitate education 
research by authorizing the release of 
coded microdata. The requi rements i n 
paragraph (2) that apply to a record code 
preclude matching de-identified data 
from education records with data from 
another source. Therefore, by its terms, 
the release of coded microdata under 
paragraph (2) is limited to education 
research. 

We agree with the commenter who 
stated that the reference i n § 99.31(b)(1) 
to "unique patterns of information about 
a student" is confusing in relation to the 
definition of personally identifiable 
information and believe that it 
essentially restated the requirements in 
paragraph (f) of the definition. 

Therefore, we have removed this phrase 
from the regulations. We disagree that 
the definition of personally identifiable 
information and the requirements in 
§ 99.31(b) impose an unnecessary 
burden on the entity receivi ng a request 
for de-identified information from 
education records and that the 
requirements in paragraph (f) in the 



definition are sufficient. As explained 
above, paragraph (f) does not address 
the problem of targeted requests. It also 
does not address the re-identification 
risk associated with multipledata 
releases and other reasonably available 
information, or allow for the coding of 
de-identified micro data for educational 
research purposes. Section 99.31(b) 
provides the additional standards 
needed to help ensure that educational 
agencies and institutions and other 
parties do not identify students when 
they release redacted records or 
statistical data from education records. 

Changes: We have removed the 
reference to "unique patterns of 
information" in § 99.31(b). 

Notification of Subpoena (§ 99.33(b)(2)) 

Comment: We received a few 
comments on our proposal in 
§ 99.33(b)(2) to requi re a party that has 
received personally identifiable 
information from education records 
from an educational agency or 
institution to provide the notice to 
parents and eligible students under 
§ 99.31(a)(9) before it discloses that 
information on behalf of an educational 
agency or institution in compliance 
with a judicial order or lawfully issued 
subpoena. One national education 
association supported the proposed 
amendment. 

One commenter asked the Department 
to clarify the i ntent of the proposed 
language. This commenter said that, 
when an educational agency or 
institution requests that a third party 
make the disclosure to comply with a 
lawfully issued subpoena or court order, 
it is reasonableto expect the 
educational agency or institution to 
send the requi red notice to the 
student(s). The commenter also said that 
it was not clear from the proposed 
change whether it is sufficient for the 
educational agency or institution to 
send the notice or whether it must come 
from the third party. 

Discussion: The Secretary agrees that 
there needs to be clarification about 
which party is responsible for notifying 
parents and el i gi bl e students before an 
SEA or other third party outside of the 
educational agency or institution 
discloses education records to comply 
with a lawfully issued subpoena or 
court order. We have revised the 
regulation to provide that the burden to 
notify a parent or eligible student rests 
with the recipient of the subpoena or 
court order. While a third party, such as 
an SEA, that is the recipient of a 
subpoena or court order is responsible 
for notifying the parents and eligible 
students before complying with the 
order or subpoena, the educational 



agency or institution could assist the 
third party in the notification 
requirement, by providing it with 
contact i nformati on so that it could 
provide the notice. 

In order to ensure that this new 
requi rement is enforceable, we have also 
revised § 99.33(e) so that if the 
Department determi nes that a thi rd 
party, such as an SEA, did not provide 
the notification required under 
§ 99.31(a)(9)(H), the educational agency 
or institution may notallow that third 
party access to education records for at 
I east five years. 

Changes: We have amended 
§ 99.33(b)(2) to clarify that the third 
party that receives the subpoena or 
court order is responsible for meeting 
the notification requirements under 
§ 99.31(a)(9). We also have revised 
§ 99.33(e) to provide that if the 
Department determi nes that a thi rd 
party, such as an SEA, did not provide 
the notification required under 
§ 99.31(a)(9)(H), the educational agency 
or institution may notallow that third 
party access to education records for at 
I east five years. 

Health or Safety Emergency (§ 99.36) 

Comment: We received many 
comments in support of our proposal to 
amend § 99.36 regarding disclosures of 
personally identifiable information 
without consent in a health or safety 
emergency. M ost of the parties that 
commented stated that the proposed 
changes demonstrated the right balance 
between student privacy and campus 
safety. A number of commenters 
specifically supported the clarification 
regard i n g th e d i sc I osu re of i nformati on 
from an eligible student's education 
records to that student's parents when a 
health or safety emergency occurs. One 
commenter said that the proposed 
amend ment woul d provi de appropri ate 
protection for sensitive and otherwise 
protected information while clarifying 
that educational agencies and 
institutions may notify parents and 
other appropriate individuals in an 
emergency so that they may i ntervene to 
help protect the health and safety of 
those involved. 

Discussion: We appreciate the 
commenters' support for the 
amendments to the "health or safety 
emergency" exception in § 99.36(b). 
Educational agencies and institutions 
are permitted to disclose personally 
identifiable information from students' 
education records, without consent, 
under § 99.31(a)(10) in connection with 
a health or safety emergency. 

Disclosures under § 99.31(a)(10) must 
meet the conditions described in 
§ 99.36. We address specific comments 
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about the proposed amendments to this 
exception in thefollowing paragraphs. 

Changes: None. 

(a) Disclosure in Non-Emergency 
Situations 

Comment: Some commenters 
suggested that we i nterpret § 99.36 to 
permit the sharing of information on 
reportable diseases to health officials in 
non-emergency situations. These 
commenters stated that the disclosure of 
routine immunization data should be 
subject to State, local, and regional 
public health laws and regulations and 
not FERPA. One of these commenters 
noted that the HI PA A Privacy Rule 
al I ows covered entities to disclose 
personally identifiable health data, 
without consent, to public health 
authoriti es. 

Discussion: There is no authority in 
FERPA to exclude students' 
immunization records from the 
definition of education records in 
FERPA. Further, theHIPAA Privacy 
Rule specifically excludes from 
coverage health care information that is 
maintained as an "education record” 
under FERPA. 45 CFR 160.103, 

Protected health information. We 
understand that theHIPAA Privacy Rule 
al I ows covered entities to disclose 
identifiable health data without written 
consent to public health authorities. 
However, there is no statutory exception 
to the written consent requi rement i n 
FERPA to permit this type of disclosure. 

Asexplained in the preamble to the 
NPRM (73 FR 15589), the amendment to 
the health or safety emergency 
exception in § 99.36 does not allow 
disclosures on a routine, non-emergency 
basi s, such as the routi ne shari ng of 
student i nformation with the local 
police department. Likewise, this 
exception does not cover routine, non- 
emergency disclosures of students' 
immunization data to public health 
authorities. Consequently, there is no 
statutory basis for the Department to 
revise the regulatory language as 
requested by the commenters. 

Changes: None. 

(b) Strict Construction Standard 

Comment: Several commenters 
expressed concern that removing the 
language from current § 99.36 requiring 
strict construction of the "health and 
safety emergency" exception and 
substituting the language providing for 
a "rational basis" standard would not 
requi re schools to makean individual 
assessment to determi ne if there is an 
emergency that warrants a disclosure. 
One commenter stated that removal of 
the "strict construction" requirement 
would severely weaken the 



Department's enforcement capabi I i ties 
and that schools may see this change as 
an excuse to disclose sensitive student 
information when there is not a real 
emergency. 

A commenter stated that the removal 
of the "strict construction" requirement 
would mean that the Department would 
eliminate altogether its review of actions 
taken by schools under the health and 
safety emergency exception. Another 
commenter stated that removi ng the 
requ i rement that thi s excepti on be 
strictly construed could erode the 
privacy rights of individuals. The 
commenter noted that because parents 
and eligible students cannot bring suit 
in court to enforce FERPA, schools face 
virtually no liability if they violate 
FERPA requirements. 

A commenter asked that the 
Department clarify what is meant by an 
"emergency" and how severe a concern 
must be to qual ify as an emergency. 

Discussion: Section 99.36(c) 
eliminates the previous requirement 
that paragraphs (a) and (b) of this 
section be "strictly construed" and 
provides instead that, in making a 
determination whether a disclosure may 
be made under the "health or safety 
emergency" exception, an educational 
agency or institution may take into 
account the total ity of the ci rcumstances 
pertai ni ng to a threat to the health or 
safety of a student or other individuals. 
The new provision states that if there is 
an articulable and significant threat to 
the health or safety of the student or 
other individuals, an educational 
agency or institution may disclose 
information to appropriate parties. 

As we indicated in the preambleto 
the NPRM, we believe paragraph (c) 
provides greater flexibility and 
deference to school administrators so 
they can bring appropriate resources to 
bear on a ci rcu instance that threatens 
the health or safety of individuals. 73 
FR 15574, 15589. In that regard, 
paragraph (c) provides that the 
Department will not substitute its 
judgment for that of the agency or 
institution if, based on the information 
avai I abl e at the ti me of the 
determination there is a rational basis 
for the agency's or institution's 
determination that a health or safety 
emergency exists and that the disclosure 
was made to appropriate parties. 

We do not agree that removal of the 
"strict construction" standard weakens 
FERPA or erodes privacy protections. 
Rather, the changes appropriately 
bal ance the i mportant i nterests of safety 
and privacy by providing school 
officials with the flexibility to act 
quickly and decisively when 
emergencies arise. Schools should not 



view FERPA 's "health or safety 
emergency" exception as a blanket 
excepti on for routi ne d i scl osu res of 
student information but as limited to 
disclosures necessary to protect the 
health or safety of a student or another 
individual in connection with an 
emergency. 

After consi derati on of the comments, 
we have determi ned that educati onal 
agencies and institutions should be 
required to record the "articulable and 
significant threat to the health or safety 
of a student or other individuals" so 
that they can demonstrate (to parents, 
students, and to the Department) what 
ci rcumstances I ed them to determi ne 
that a health or safety emergency existed 
and how they justified the disclosure. 
Currently, educational agencies and 
institutions are required under 
§ 99.32(a) to record any disclosure of 
personally identifiable information from 
education records made under 
§ 99.31(a)(10) and § 99.36. We are 
revising the recordation requirements in 
§ 99.32(a)(5) to requi re an agency or 
institution to record the articulable and 
significant threat that formed the basis 
for the disclosure. The school must 
maintain this record with the education 
records of the student for as long as the 
student's education records are 
maintained (§ 99.32(a)(2)). 

We do not specify in the regulations 
a time period in which an educational 
agency or institution must record a 
disclosure of personally identifiable 
information from education records 
under § 99.32(a). We interpret this to 
mean that an agency or institution must 
record a disclosure within a reasonable 
peri od of ti me after the d i scl osu re has 
been made, and notjustatthetime, if 
any, when a parent or student asks to 
inspect the student's record of 
disclosures. We will treat the 
requirement to record the significant 
and articulable threat that forms the 
basis for a disclosure under the health 
or safety emergency exception no 
differently than the recordation of other 
disclosures. In determining whether a 
period of time for recordation is 
reasonable, we would examine the 
relevant facts surrounding the 
disclosure and anticipate that an agency 
or institution would address the health 
or safety emergency itself before turning 
to recordation of any disclosures and 
other administrative matters. 

I n response to concerns about the 
Department's enforcement of the 
provisions of § 99.36, the "rational 
basi s" test does not el i mi nate the 
Department's responsi bi I i ty for 
oversight and accountability. Actions 
that the Secretary may take i n 
addressing violations of this and other 
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FERPA provisions are addressed in the 
anal ysi s of comments under the secti on 
in this preamble entitled Enforcement. 
Whi le parents and el igi ble students do 
not have a right to sue for violations of 
FERPA in a court of law, the statute 
provides that the Secretary may not 
make funds available to any agency or 
institution that has a policy or practice 
of violating parents' and students' rights 
under the statute with regard to consent 
to the d i scl osu re of ed ucati on records. 
Assuch, parents and el igi ble students 
may file a complaint with the Office if 
they believe that a school has violated 
their rights under FERPA and has 
disclosed education records under 
§ 99.36 inconsistent with these 
regulations. In conducting an 
investigation, the Office will require 
that schools identify the underlying 
facts that demonstrated that there was 
an articulable and significant threat 
preci pi tati ng the d i scl osure under 
§ 99.36. 

I n response to the comment about 
what would constitute an emergency, 
FERPA permits disclosure "* * * in 
connection with an emergency * * * to 
protect the health or safety of the 
student or other persons.” 20 U.S.C. 
1232g(b)(l)(l). We note that the word 
"protect” general ly means to keep from 
harm, attack, or injury. As such, the 
statutory text underscores that the 
educational agency or institution must 
be abl e to rel ease i nformati on from 
education records in sufficient time for 
the institution to act to keep persons 
from harm or injury. Moreover, to be "in 
connection with an emergency” means 
to be rel ated to the th reat of an actual , 
impending, or imminent emergency, 
such as a terrorist attack, a natural 
disaster, a campus shooti ng, or the 
outbreak of an epidemic such as e-col i. 
An emergency could also be a situation 
in which a student gives sufficient, 
cumulative warning signs that lead an 
educational agency or institution to 
believe the student may harm himself or 
others at any moment. It does not mean 
the threat of a possi ble or eventual 
emergency for which the likelihood of 
occurrence is unknown, such as would 
be addressed in emergency 
preparedness activities. 

Changes: We have amended the 
recordkeepi ng requi rements i n 
§ 99.32(a)(5) to requi re educational 
agencies and institutions to record the 
articul abl e and si gn i fi cant th reat that 
formed the basis for a disclosure under 
the health or safety emergency 
exception and the parties to whom the 
information was disclosed. 



(c) Articulable and Significant Threat 

Comment: One commenter stated that 
the word "articulable" in § 99.36(c) was 
confusi ng i n reference to a school 's 
determination that there is an 
"arti cu I abl e and si gn if i cant threat to the 
health or safety of a student or other 
individuals." This commenter stated 
that school officials might interpret the 
provision to mean that there must be a 
verbal threat or that school officials 
must writedown the exact wording of 
the threat. 

Discussion: The requirement that 
there must be an "articulable and 
significant threat” does not mean that 
the threat must be verbal . It si mply 
means that the institution must be able 
to articulate what the threat is under 
§ 99.36 when it makes and records the 
disclosure. 

In that regard, the words "articulable 
and significant" are adjectives 
modifying the key noun "threat." As 
such, the focus is on the threat, with the 
qu esti on bei n g w h eth er th e th reat i tsel f 
is articulable and significant. The word 
"articulable” is defined to mean 
"capabl e of bei ng arti cul ated ." http:// 
www.merriam-webster.com/dictionary/ 
articulable. This portion of the standard 
simply requires that a school official be 
able to express in words what leads the 
official to conclude that a student poses 
a threat. The other half of the standard 
is the word "significant," which means 
"of a noticeably or measurably large 
amount.” http://www.merriam- 
webster.com/dictionary/significant. 
Taken together, the phrase "articulable 
and significant threat" means that if a 
school official can explain why, based 
on all the information then available, 
the official reasonably believes that a 
student poses a significant threat, such 
as a threat of substantial bodi ly harm, to 
any person, including the student, the 
school official may disclose education 
records to any person whose knowledge 
of i nformati on from those records will 
assist in protecting a person from that 
threat. 

Changes: None. 

(d) Parties That May Receive 
Information Under § 99.36 

Comment: A commenter 
recommended that the Department 
adopt a more subjective standard 
regarding the persons to whom 
education records may be disclosed 
under § 99.36, suggesti ng that we 
remove the requi rement that the 
disclosure must be to a person "whose 
knowledge of the information is 
necessary to protect the health or safety 
of the student or other individuals." 
Conversely, another commenter 



expressed concern that the Department 
was sending the wrong message to 
educational agencies and institutions 
with these changes to § 99.36. The 
commenter stated that the health or 
safety emergency exception must not be 
perceived to permit schools to routinely 
disclose education records to parents, 
police, or others. 

A commenter asked who at a school 
may share personally identifiable 
information in a health or safety 
emergency, and specifically whether a 
school secretary would be allowed to 
tel I parents that a student on campus 
made a threat to others. 

A commenter stated that school 
districts, especially small or rural 
d i stri cts, may not have the experti se on 
staff to determine whether a situation 
constitutes an "articulable and 
significant threat." The commenter said 
that personally identifiable information 
on students may need to be disclosed to 
outside law enforcement and mental 
health professionals so that they can 
help schools determine whether a real 
threat exists. The commenter 
recommended that the Department 
change the proposed regulations to 
allow school districts to involve outside 
experts i n determini ng whether a health 
or safety emergency exists. Noting that 
theNPRM addressed the disclosure of 
education records to an eligible 
student's parents, the organization also 
asked for clarification regarding whether 
the parents of a potential perpetrator 
and the potential victim at the K- 12 
level could be told about a threat. 

Several commenters stated that our 
proposed amendments did not go far 
enough and urged the Department to 
expand § 99.36 to permit a school to 
notify whomever the student has I isted 
as his or her emergency contact. 

Another commenter requested that the 
Secretary, through these regulations, 
direct institutions to proactively notify 
parents of students who are in acute 
care situations, such as illness or 
accidents, if any institutional official is 
aware of the emergency. 

Discussion: On its face, FERPA 
permits disci osure to "appropriate 
persons if the knowledge of such 
information is necessary to protect the 
health or safety of the student or other 
persons.” 20 U.S.C. 1232g(b)(l)(l). 
FERPA does not requi re that the person 
receiving the information be responsible 
for providing the protection. Rather, the 
focus of the statutory provision is on the 
information itself: The "health or safety 
emergency" exception permits the 
institution to disclose information from 
education records in order to gather 
information from any person who has 
information that would be necessary to 





Federal Register/ Vol. 73, No. 237/Tuesday, December 9, 2008/ Rules and Regulations 74839 



provide the requisite protection. Thus, 
for example, an educational institution 
that reasonably bel ieves that a student 
poses a threat of bodily harm to any 
person may disclose information from 
education records to current or prior 
peers of the student or mental health 
professionals who can provide the 
institution with appropriate information 
to assi st i n protecti ng agai nst the th reat. 
Moreover, the institution may disclose 
records to persons such as law 
enforcement officials that it determi nes 
may be helpful in providing appropriate 
protection from the threat. An 
educational agency or institution may 
also generally disclose information 
under § 99.36 to a potential victim and 
the parents of a potential victi m as 
"other individuals" whose health or 
safety may need to be protected. 

Similarly, in order to obtain 
information that would inform its 
judgment on how to address the threat, 
the student's current institution may 
disclose information from education 
records to other schools or institutions 
which the student previously attended. 

I n that regard, the same set of facts 
underl yi ng the current i nsti tuti on's 
determination that an emergency 
existed would also permit former 
school sand institutions attended by the 
student to disclose personally 
identifiable information from education 
records to the student's current 
institution. That is, a former school 
would not need to make a separate 
determination regard i ng the existence of 
an articulable and significant threat to 
the health or safety of a student or 
others, and could rely instead on the 
determination made by the school 
currently attended by the student in 
making the disclosure. 

In the discussion on page 15589 of the 
NPRM, we noted that the "health or 
safety emergency" exception does not 
permit a local school district to 
routinely share its student information 
database with the local police 
department. This example was meant to 
clarify that FERPA's health or safety 
provisions would not permit a school to 
disclose without consent education 
records to the local police department 
unless there was a health or safety 
emergency and the disclosure of the 
information was necessary to protect the 
health or safety of students or other 
individuals. This does not prevent 
school s from havi ng worki ng 
relationships with local police 
authorities and to use local police 
officers in maintaining the safety of 
their campuses. 

I n response to the comment about 
which school official should be 
permitted to disclose information under 



§ 99.36, an educational agency or 
institution will need to make its own 
determination about which school 
officials may access a student's 
education records and disclose 
information to parents or other parties 
whose knowledge of the information is 
necessary to protect the health or safety 
of the student or other individuals. 
Under § 99.31(a)(1), an educational 
agency or institution may disclose 
education records, without consent, to 
school officials whom the agency or 
institution has determi ned have 
legitimate educational interests in the 
information. It may be helpful for 
schools to have a policy in place 
concerning which school officials will 
have access to and the responsi bi I i ty for 
disclosing information in emergency 
situations. 

We understand that some educational 
agencies and institutions may need 
assistance in determining whether a 
health or safety emergency exists for 
purposes of complying with these 
regulations. The Department encourages 
schools to implement a threat 
assessment program, including the 
establ i sh ment of a th reat assessment 
team that uti I i zes the experti se of 
representatives from law enforcement 
agencies in the community. Schools can 
respond to student behavior that raises 
concerns about a student's mental 
health and the safety of the student and 
others that is chronic or escalating by 
usi ng a threat assessment team, and 
then make other disclosures under the 
health or safety emergency exception, as 
appropriate, when an "articulable and 
significant threat" exists. Information on 
establ i sh i ng a th reat assessment 
program and other helpful resources for 
emergency situations can be found on 
the Department's Web site: http:// 
www.ed.gov/admins/lead/safety/ 
edpicks.jhtml?src=ln. 

An educational agency or institution 
may disclose education records to threat 
assessment team members who are not 
employees of the district or institution 
if they qualify as "school officials" with 
"legitimate educational interests" under 
§ 99.31(a)(l)(i)(B), which is discussed 
elsewhere in this preamble. To receive 
the education records under the "school 
officials" exception, members of the 
threat assessment team must be under 
the direct control of the educational 
agency or institution with respect to the 
mai ntenance and use of personal I y 
identifiable information from education 
records. For example, a representative 
from the city pol ice who serves on a 
school 's threat assessment team 
generally could not redisclose to the city 
police personally identifiable 
information from a student's education 



records to which he or she was privy as 
part of the team. As noted above, 
however, the institution may disclose 
personally identifiable information from 
education records when and if the threat 
assessment team determi nes that a 
health or safety emergency exists under 
§§ 99.31(a)(10) and 99.36. 

We bel i eve that § 99.36 does not need 
to be expanded to permit a school to 
contact whomever an eligible student 
has listed as his or her emergency 
contact, nor is there authority to do so. 
FERPA does not preclude institutions 
from contacting other parties, including 
parents, in addition to the emergency 
contacts provided by the student, if the 
school determi nes these other parties 
are "appropriate parties" under this 
exception. (An eligible student may 
provide consent for the institution to 
notify certain individuals in case of an 
emergency, should an emergency 
occur.) 

The regulations would not prevent an 
institution from having a policy of 
seeki ng prospecti ve consent from 
el igi ble students for the disclosure of 
personally identifiable information or 
from having a pol icy for obtaining 
consent for disclosure on a case-by-case 
basis. Flowever, FERPA does not require 
that a postsecondary institution disclose 
information to any party except to the 
el igi ble student, even if the student has 
consented to the disclosure. Thus, the 
Secretary does not have the statutory 
authority to require school officialsto 
disclose information from a student's 
education records in compliance with a 
consent si gned by the student or to 
otherwise require the institution to 
contact a fami I y member. 

Changes: None. 

(e) T reatment Records 

Comment: A commenter stated that 
while the amendments to § 99.36 
provide needed clarification about when 
an educational agency or institution 
may disclose students' education 
records to avert traged i es I i ke the one at 
Virginia Tech in April 2007, the NPRM 
did not provide clarity on the issue of 
information sharing between on-campus 
and off-campus health care providers. 
The commenter also noted that the 
Virginia Tech Review Panel 
recommended that Congress amend 
FERPA to explain how Federal privacy 
laws apply to medical records held for 
treatment purposes and that the NPRM 
did not provide that clarity. 

Another commenter stated that if 
information about a student related to a 
health or safety emergency is part of the 
treatment records mai ntai ned by a 
university's health clinic, the treatment 
records should be treated likeeducation 
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records so that they may be disclosed 
under the health and safety emergency 
exception. A commenter asked that the 
Department clarify that col lege health 
and mental health records are not 
education records under FERPA and 
must be treated I ike other health and 
mental health records in other settings. 

Discussion: Whilewehave carefully 
considered the comments concerning 
"treatment records,” the Secretary does 
not bel ieve that it is necessary to amend 
the regulations to provide clarification 
on the handling of health and medical 
records. The Departments of Education 
and Health and Human Services have 
issued joint guidance that explains the 
relationship between FERPA and the 
HIPAA Privacy Rule. The guidance 
add resses th i s i ssue for these records at 
the elementary and secondary levels, as 
wel I as at the postsecondary level . The 
joint guidance, which is on the Web 
sites of both agencies, addresses many 
of the questions raised by school 
administrators, health care 
professionals, and others as to how 
these two laws apply to records 
maintained on students. It also 
add resses certai n d i scl osu res that are 
allowed without consent or 
authorization under both laws, 
especial I y those related to health and 
safety emergency situations. The 
guidance can be found here: http:// 
www.ed.gov/policy/gen/guid/fpco/ 
index.html. 

As discussed elsewhere in this 
preamble with respect to § 99.31(a)(2), 
while "treatment records" are excluded 
from the definition of education records 
under FERPA, if an eligible student's 
treatment records are used for any 
purpose other than the student's 
treatment, or if a school wishes to 
disclose the treatment records for any 
purpose other than the student's 
treatment, they may only be disclosed as 
education records subject to FERPA 
requirements. Therefore, an eligible 
student's treatment records may be 
disclosed to any party, without consent, 
as long as the disclosure meets one of 
the exceptions to FERPA 's general 
consent rule. See 34 CFR 99.31. One of 
the permitted disclosures under this 
section is the "health or safety 
emergency" exception. 

Changes: None. 

Identification and Authentication of 
Identity (§ 99.31(c)) 

Comment: Several commenters 
supported our proposal to require 
educational agencies and institutions to 
use reasonable methods to identify and 
authenticate the identity of parents, 
students, school officials, and any other 
parties to whom the agency or 



institution discloses personally 
identifiable information from education 
records. One commenter supported the 
provision but advocated requiring the 
use of two-factor identification for 
information that could be used to 
commit identity theft and financial 
fraud. (Two-factor identification 
requi res the use of two methods to 
authenticate identity, such as 
fingerprint identification in addition to 
a PIN.) 

One commenter said that the 
identification and authentication 
requirement will help protect students 
affected by domestic violence who are 
living in substitute care situations. The 
commenter noted that many parents in 
situations involving domestic violence 
do not have photo identification (ID) 
and would be unableto meet a 
requirement to provide photo ID in 
order to access their children's 
education records. 

One commenter strongly supported 
the proposed amendment and said it 
will be valuable in aiding the privacy 
and protection of homeless children. 
Another commenter questioned whether 
the identification and authentication 
requ i rement i s necessary for staff of 
large school districts with centralized 
off i ces. 

One commenter did not support the 
proposed regu I ati on stati ng that i t w i 1 1 
bean additional burden on school 
districts. The commenter agreed with 
our statement i n the preambl e to the 
NPRM that the regulations should 
permi t d i stri cts to d eterm i n e th ei r ow n 
methods of identification and 
authentication. However, the 
commenter stated that districts should 
not be requ i red to have a si i d i ng seal e 
of control based on the level of potential 
threat and harm and that it would not 
be practical to give every person 
requesti ng access to education records a 
PIN or similar method of authentication. 
For example, the commenter stated that 
parents might be provided with a PIN, 
but districts would not want to provide 
a PIN to a reporter or other third party. 
The commenter requested additional 
examples of how districts may 
authenticate requests received by phone 
or e-mai I . The commenter also stated 
that districts are sometimes concerned 
that government-issued photo IDs are 
fraudulent. Asa result, the group 
requested that the Department adopt a 
"safe harbor" provision that requiring a 
government-issued photo ID for in- 
person requests is reasonable. 

One commenter expressed concern 
that the proposed regul ati ons were too 
restrictive and could be too complex to 
administer, and that this would cause 
an i nstituti on to choose not to transfer 



information even though it is permitted 
to do so. This commenter asked whether 
the Department will accept an 
institution's efforts at compl iance as 
sufficient without examini ng the 
effectiveness of those efforts. 

Discussion: The identification and 
authentication methods discussed in the 
NPRM (73 FR 15585) are intended as 
examples and should not be considered 
to be exhaustive. Because there are 
many methods avai I abl e to provi de 
secure authentication of identity, and as 
more methods continue to be 
developed, we do not think it 
appropriate at this time to requ ire the 
use of two-factor authentication as 
requested by the commenter. T wo-factor 
authentication can be expensive and 
cumbersome, and we bel ieve that each 
educational agency or institution should 
decide whether to use its resources to 
implement a two-factor authentication 
method or another reasonable method to 
ensure that education records are 
disclosed only to an authorized party. 
The comment that a portion of the 
population will be disadvantaged if only 
photo I D is permitted to authenticate 
identity confirms that we need to retain 
flexibility in the regulations. 

We do not agree that certai n types of 
staff should be excepted from the 
identification and authentication 
requirement. All staff members, whether 
i n a central i zed offi ce, or i n separate 
ad mi n i strati ve offi ces th rou gh ou t a 
school system, must be cognizant of and 
responsi blefor complying with 
identification and authentication 
requirements. 

Due to the differences in size, 
complexity, and access to technology, 
we believe that educational agencies 
and institutions should have the 
flexibility to decide the methods for 
identification and authentication of 
identity best suited to their own 
circumstances. The regulatory 
requi rement is that agencies and 
institutions use "reasonable" methods 
to identify and authenticate identity 
when disclosing personally identifiable 
information from education records. 
"Effectiveness" is certainly one 
measure, but not necessari ly a 
dispositive measure, of whether the 
methods used by an agency or 
institution are "reasonable". As we 
explained in the NPRM, an agency or 
institution is not required to eliminate 
all risk of unauthorized disclosure of 
education records but to reduce that risk 
to a level commensurate with the I ikely 
threat and potential harm. 73 FR 15585. 

Further in that regard, we note that a 
"sliding scale" of protection is not 
mandated per se. However, it may not 
be "reasonable" to use the same 
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methods to protect students' SSNs or 
credit card numbers from unauthorized 
access and disclosure that are used to 
protect students' names and other 
d i rectory i nformati on . We bel i eve that a 
PIN process could be useful to provide 
access to education records for parties, 
such as parents, students, or school 
officials, but that it would not generally 
be useful for providi ng records to 
outside parties, such as reporters or 
parties seeking directory information. 

W hi I e the use of government-issued 
photo I D may be a reasonable method to 
authenticate identity, depending on the 
ci rcumstances and the i nformati on 
being released, weareunableto 
conclude at thisti me that it is 
sufficiently secure to constitute a safe 
harbor for meeting this requirement. 

Changes: None. 

Enforcement (§ 99.64) 

(a) § 99.64(a) 

Comment: Onecommenter supported 
our proposal to amend § 99.64(a) to 
provide that a complaint submitted to 
FPCO does not have to allege that a 
violation or failure to comply with 
FERPA is based on a policy or practice 
of the agency or institution. The 
commenter stated that parents often are 
not aware of legal and technical criteria, 
and complaints filed by parents should 
not be subject to technical rules 
typically applied to filings made by 
attorneys. 

Another commenter did not support 
the proposed amendment and asked 
several questions concerning the effects 
of the change. The commenter asked 
whether this provision means that the 
Off i ce w i 1 1 i n vesti gate an al I egati on 
concerning a single and perhaps 
unintentional action not related to a 
policy or practice of the institution. The 
commenter also asked whether such an 
investigation could resultin afindingof 
a violation if the finding is not based on 
an institution's policy or practice, and 
what enforcement acti ons can be taken 
in those circumstances. The commenter 
suggested that we modify the 
regulations to provide that, for 
complai nts not al legi ng a violation 
based on an institution's policy or 
practice, the Office will undertakean 
investigation only when it determines 
that the al legations are of a sufficiently 
serious nature to warrant an inquiry. 

Discussion: The changes we proposed 
in thissection were intended to clarify 
that it i s suffi ci ent for a complaint to 
allege that an educational agency or 
institution violated a requirement of 
FERPA, and that a complaint does not 
need to allege that the violation is a 
result of a policy or practice of an 



agency or institution in order for the 
Office to investigate the complaint. 

Weexplain in our discussion of the 
proposed changes to § 99.67 that the 
Secretary must find that an educational 
agency or institution has a policy or 
practice in violation of the non- 
disclosure requirements in FERPA 
before seeking to withhold, terminate, or 
recover program funds for that violation. 
Flowever, FPCO is not limited to 
investigating complaints and finding 
that an educational agency or institution 
violated FERPA only if the allegations 
and findings are based on a policy or 
practice of an educational agency or 
institution. 

Moreover, we do not agree that only 
conduct that involvesa policy or 
practice or that affects multiple students 
is serious enough to warrant an 
investigation of the allegations. An 
educational agency or institution may 
not even be aware of FERPA violations 
committed by its own school officials 
until the Office investigates an 
allegation of misconduct. These kinds of 
i n vesti gati ons often serve the very 
i mportant purpose of hel pi ng ensure 
that si ngl e i nstances of mi sconduct do 
not become pol i ci es or practi ces of an 
agency or institution. Further, whilean 
agency or institution may not think that 
a single, unintentional violation of 
FERPA is significant, it is often 
considered serious by the parent or 
student affected by the violation. 

Therefore, consistent with its current 
practi ce, the Offi ce may fi nd that an 
educational agency or institution 
violated FERPA without also finding 
that the violation was based on a policy 
or practice. Note that under §§ 99.66(c) 
and 99.67, the Offi ce may not take any 
enforcement acti on against an agency or 
institution that has violated FERPA 
until it provides the agency or 
institution with a reasonable period of 
time to come into compliance 
voluntarily. 

Changes: None. 

(b) § 99.64(b) 

Comment: A number of commenters 
supported proposed § 99.64(b), which 
provided that the Office may investigate 
a possible FERPA violation even if it has 
not received a timely complaint from a 
parent or student or if a valid complaint 
is subsequently withdrawn. Several of 
these commenters stated that it is 
appropriate and important to permit 
persons who are not parents or eligi ble 
students, but who have knowledge of 
potential FERPA violations, to provide 
this information to the Office for 
consideration of a possible 
investigation. 



Several commenters objected to the 
proposed change. Onecommenter 
expressed serious concern that the 
regulations will greatly expand the 
authority of the Office to investigate any 
potential FERPA violation, even when 
no complaint is filed or when a 
complaint has been withdrawn. In 
particular, the commenter stated that an 
institution would not have an 
opportunity to review and respond to 
specific allegations when the 
investigation does not concern a 
particular complai nt. 

Another commenter asserted that the 
Department has not demonstrated why 
the proposed amendment is necessary. 
The commenter said that unless there is 
evidence of a widespread problem, the 
proposed change will increase 
university costs in responding to 
investigations without a corresponding 
benefit to the public. 

Another commenter said that the 
Office should not investigate allegations 
that are not filed by a parent or eligi ble 
student because an institution must 
know the name of the fi I i ng party and 
the specific circumstances of the 
allegation in order to properly defend its 
actions. The commenter said that it 
should not be unnecessarily burdened 
by an investigation by the Office when 
it has already dealt with the situation to 
the satisfaction of the affected student, 
and that any student who is not satisfied 
with the institution's efforts retains the 
abi I i ty to f i I e a compl ai nt. The 
commenter also noted that a complaint 
fi led by an affected student has more 
credibility than allegations made by 
other parties. The commenter was 
concerned that accepting information 
from other parti es cou I d resu 1 1 i n fi I i ngs 
from persons with grievances unrelated 
to FERPA, such as a disgruntled 
employee, or an applicant rejected for 
admission, ora parent or eligible 
student who missed a filing deadline of 
some kind. 

One commenter said that the 
proposed change would result in an 
i neffecti ve use of the I i mi ted resou rces 
of the Offi ce because i t wou I d be 
i n vesti gati ng al I egati ons that may not 
have a suffi ci ent basi s. 

Discussion: We proposed the changes 
to § 99.64(b) to clarify that the Office 
may initiate its own investigation that 
an educational agency or institution has 
violated FERPA. (The amendment also 
clarifies that if the Office determines 
that an agency or institution violated 
FERPA, it may also determine whether 
the violation was based on a policy or 
practice of the agency or institution.) 

Our experience has shown that 
sometimes FERPA violations are 
brought to the attend on of the Offi ce by 
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school officials, officials in other 
schools, or by the media. It is important 
that the Office have authority to 
investigate allegations of non- 
compliance in these situations. 
Consistent with its current practice, a 
notice of investigation issued by the 
Office will provide sufficient and 
specific factual information to permit 
the agency or institution to adequately 
investigate and respond to the 
allegations, whether or not the 
investigation is based on a complaint by 
a parent or eligible student. 

We do not agree that allowing the 
Office to initiate its own investigations 
of possible FERPA violations will lead 
to abuses of the process by persons 
seeking to redress other grievances with 
an institution. The Office will continue 
to be responsi bl e for eval uati ng the 
validity of the information and 
al I egati ons that come to i ts attenti on by 
means other than a valid complaint and 
determining whether to initiate an 
investigation. We do not anticipate that 
the Office will initiate an investigation 
of every allegation or information it 
receives. We bel ieve, however, that it is 
i important that the Offi ce be abl e to 
investigate any violation of FERPA for 
which it receives notice. As stated in the 
NPRM, 73 FR 15591, the Department is 
not seeki ng to expand the scope of 
FERPA investigations beyond the 
current practices of the Office. 

Changes: None. 

(c) § 99.66 

Comment: We received one comment 
on the proposed change to § 99.66(c), 
which allows but does not require FPCO 
to make a finding that an educational 
agency or institution has a policy or 
practice in violation of a FERPA 
requirement when the Office issues a 
notice of findings in § 99.66(b). The 
commenter stated that its review of 
FERPA and the Supreme Court decision 
in Gonzaga University v. Doe, 536 U.S. 
273 (2002) (Gonzaga), indicates that the 
Offi ce may not i ssue a fi ndi ng of a 
violation of FERPA and require 
corrective action or take any 
enforcement action without also finding 
that the violation constituted a policy or 
practice of the agency or institution. 

Discussion: Weexplain in the 
discussion of the changes to § 99.67 that 
there are circumstances in which the 
Office would be required to find that an 
educational agency or institution has a 
pol i cy or practi ce i n vi ol ati on of a 
FERPA requirement before taking 
certain enforcement actions, such as an 
action to terminate funding for a 
violation of the non-disclosure 
requirements, 20 U.S.C. 1232g(b)(l) and 
(b)(2) and 34 CFR 99.30. Flow ever, the 



Office is not required to find a policy or 
practice in violation of FERPA before 
i ssu i n g a n oti ce of f i nd i n gs or taki n g 
other ki nds of enforcement actions. 

Changes: None. 

(d) § 99.67 

Comment: One commenter supported 
the clarification in proposed § 99.67 that 
the Office may not seek to withhold 
payments, termi nate el i gi bi I i ty for 
funding, or take certai n other 
enforcement actions uni ess it 
determines that the educational agency 
or institution has a policy or practice 
that violates FERPA. Another 
commenter expressed general support 
for the proposed change, including the 
clarification that the Secretary may take 
any legally avail able enforcement 
action, in addition to those specifically 
listed in the current regulations. The 
commenter expressed concern, 
however, that the penalties are not 
severe enough to effectively discourage 
unintentional or willful violations by 
third parties, particularly in areas of 
research and data sharing with outside 
parti es. 

Another commenter expressed 
concern that the proposed amendment 
would unnecessarily broaden the 
enforcement options avai I able to the 
Secretary. The commenter stated that 
educational agencies and institutions 
will not be able to assess the risks and 
consequences associated with their 
actions without a limitation on the 
range of enforcement actions avai I able 
to the Department when a violation of 
FERPA is found. 

One commenter asked the Department 
to clarify that al I methods of enforcing 
FERPA that are contained in the current 
regulations will be retained in the final 
regulations. The commenter said that 
the proposed regulations in the NPRM 
(73 FR 15602) appear to remove the 
Secretary's abi I ity to termi nate fundi ng. 

Discussion: We explained in the 
preambleto the NPRM (73 FR 15592) 
that there were two reasons for the 
proposed changes to § 99.67(a). One was 
the need to clarify that the Secretary 
may take any enforcement action that is 
legally availableand is not limited to 
those specified under the current 
regulations, i.e., withholding further 
payments under any applicable 
program: issuing a complaint to compel 
compliance through a cease-and-desist 
order: or termi nati ng el i gi bi I ity to 
receive funding under any applicable 
program. Other actions the Secretary 
may take to enforce FERPA include 
entering into a compliance agreement 
under 20 U .S.C. 1234f and seeki ng an 
injunction. 



This change to § 99.67(a) does not 
broaden the Secretary's enforcement 
options, as suggested by one 
commenter. The General Education 
Provisions Act (GEPA) provides the 
Secretary with the authority to take 
certai n enforcement actions to address 
violations of statutory and regulatory 
requirements, including general 
authority to "take any other action 
authorized by law with respect to the 
recipient." 20 U.S.C. 1234c(a)(4). The 
change to § 99.67(a) simply includes, for 
purposes of clarity, the Secretary's 
existi ng authority under GEPA to take 
any legally avai I able action to enforce 
FERPA requirements. (We note that 
before taking enforcement action the 
Offi ce must determi ne that the 
educational agency or institution is 
failing to comply substantially with a 
FERPA requirement and provide it with 
a reasonable period of time to comply 
voluntarily. See 20 U.S.C. 1234c(a); 20 
U.S.C. 1232g(f); and 34 CFR 99.66(c).) 

We also proposed to amend § 99.67(a) 
to clarify that the Office may issue a 
noti ce of vi ol ati on for fai I ure to compl y 
with specific FERPA requirements and 
require corrective actions but may not 
seek to termi nate el i gi bi I i ty for fu nd i ng, 
withhold payments, or take other 
enforcement actions unless the Office 
determined that an agency or institution 
has a policy or practice in violation of 
FERPA requirements (73 FR 15592). 
Upon further review, we have decided 
not to adopt this particular change 
because we believe it limits the 
Secretary's enforcement authority in a 
manner that is not legally required. 

In support of its holding in Gonzaga 
that FERPA 's non-disclosure provisions 
do not create rights that are enforceable 
under 42 U.S.C. 1983, the Court 
observed that FERPA provides that no 
funds shall be made avai I able to an 
educational agency or institution that 
has a policy or practice of disclosing 
education records in violation of FERPA 
requirements. 536 U.S. at 288: see also 
20 U.S.C. 1232g(b)(l) and (b)(2); 34 CFR 
99.30. As such, the statute and Gonzaga 
decision suggest that with respect to 
violations of FERPA 's non-disclosure 
requirements, the Secretary must find 
that an educational agency or institution 
has a policy or practice in violation of 
FERPA requirements before taking 
actions to terminate, withhold, or 
recover funds for those violations. 
Flowever, there is no requirement under 
the statute (or the Gonzaga decision) for 
the Secretary to find a policy or practice 
in violation of FERPA requirements on 
the part of an educational agency or 
institution before taking other kinds of 
enforcement actions for violations of the 
non-disclosure requirements, such as 
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seeking an injunction or a cease-and- 
desist order. We note al so that the 
Gonzaga opinion does not address 
violations of other FERPA requirements, 
such as parents' right to inspect and 
review theirchildren'seducation 
records and the requirement that 
educational agencies and institutions 
afford parents an opportunity for a 
heari ng to chal lenge the content of a 
student's education records under 
certain circumstances, which do not 
contain the same "policy or practice" 
language as the non-disclosure 
requirements. Because we did not 
address enforcement of these other 
FERPA requirements in the NPRM, we 
have decided not to address in the final 
regulations limitations or pre-conditions 
that apply solely to actions to terminate, 
withhold, or recover program funds for 
violations of the non-disclosure 
requirements. 

I n response to the comment that the 
avai lable penalties are not severe 
enough to discourage FERPA violations, 
we note that the Secretary has authority 
to terminate, withhold, and recover 
program funds and take other 
enforcement actions in accordance with 
part E of GEPA. The Secretary may not 
increase penalties beyond those 
authorized under FERPA and GEPA. 
Further, the regulations do not remove 
the Secretary's authority to terminate 
eligi bility for program funding or any 
other enforcement authority. The 
changes noted by the commenter who 
was concerned that the proposed 
regulations removed the Secretary's 
authority to terminate funding were 
corrections to punctuation and 
formatti ng onl y, not substanti ve 
changes. 

Changes: We have removed the 
language in § 99.67(a) that requires the 
Office to determine that an educational 
agency or institution has a policy or 
practice in violation of FERPA 
requ i remen ts before taki ng any 
enforcement action. 

Department Recommendations for 
Safeguarding Education Records 

Comment: We received a few 
comments on the recommendations for 
safeguarding education records 
included in the NPRM. One commenter 
expressed concern that schools and 
school districts should exercise 
enhanced security for the records of 
children receiving special education 
services. Accordi ng to the commenter, 
these children often havea large 
number of records and may receive 
services from a variety of providers, 
which can add to the chal lenge of 
ensuring that appropriate privacy 
controls are used. 



One commenter supported the 
safeguarding recommendations and 
suggested that we revise the 
recommendations to list non-Federal 
government sources providing guidance 
on methods for safeguarding education 
records. Another commenter supported 
the recommendations, but suggested 
that the regulations should requ ire that 
a parent or eligi ble student receive 
notification of an unauthorized release 
or theft of i nformati on . 

Discussion: The comments on the 
records of students who receive special 
educati on servi ces i 1 1 ustrate the 
necessity for educational agencies and 
i nsti tuti ons to ensure that adequate 
controls are in pi ace so that the 
education records of all students are 
handled in accordance with FERPA's 
privacy protections. The safeguarding 
recommendations that we provided in 
the NPRM, and are repeated in these 
final regulations, are intended to 
provide agencies and institutions 
additional information and resources to 
assist them in meeting this 
responsibility. In addition, educational 
agencies and institutions should refer to 
the protections required under § 300.623 
of the confidential ity of i nformati on 
requirements in Part B of the IDEA, 34 
CFR 300.623 (Safeguards). 

We acknowledge that there are many 
sources avai lable concerning 
information security technology and 
processes. The Department does not 
wish to appear to endorse the 
information or product of any company 
or organization; therefore, we have 
included only Federal government 
sources in this notice. 

The Department does not have the 
authority under FERPA to require that 
agencies or institutions issue a direct 
notice to a parent or student upon an 
unauthorized disclosure of education 
records. FERPA only requires that the 
agency or institution record the 
disclosure so that a parent or student 
will become aware of the disclosure 
during an inspection of the student's 
education record. 

Changes: None. 

We are republishing here, for the 
administrativeconvenienceof 
educational agencies and institutions 
and other parties, the Department 
Recommendations for Safeguarding 
Education Records that were published 
in the preamble to the NPRM (73 FR 
15598-15599): 

The Department recognizes that 
agenci es and i nsti tuti ons face si gn i fi cant 
challenges in safeguarding educational 
records. We are provi ding the fol I owi ng 
information and recommendations to 
assist agencies and institutions in 
meeti ng these chal lenges. 



As noted elsewhere in this document, 
FERPA provides that no funds 
administered by the Secretary may be 
made avai I able to any educational 
agency or institution that has a policy or 
practice of releasi ng, permitti ng the 
rel ease of, or provi d i ng access to 
personally identifiable information from 
education records without the prior 
written consent of a parent or eligible 
student except in accordance with 
specified exceptions. In light of these 
requi rements, the Secretary encourages 
educational agencies and institutions to 
uti I i ze appropri ate methods to protect 
education records, especially in 
electronic data systems. 

In recent years thefollowing incidents 
have come to the Department's 
attention: 

• Students' grades or fi nancial 
information, including SSNs, have been 
posted on publicly available Web 
servers; 

• Laptops and other portabl e devi ces 
containing similar information from 
education records have been lost or 
stolen; 

• Education records, or devices that 
maintain education records, have not 
been retrieved from school officials 
upon termination of their employment 
or service as a contractor, consultant, or 
volunteer; 

• Computer systems at col leges and 
universities have become favored targets 
because they hold many of the same 
records as banks but are much easier to 
access. See "Col lege Door Ajar for 
Online Criminals" (May 2006), available 
at http://www.uh.edu/ednews/2006/ 

lati mes/200605/20060530hackers.html. 
and July 10, 2006, Viewpoint in 
Business Week/Onl i ne avai lable at 
http://www.businessweek.com/ 
technology/content/jul2006/ 
tc20060710_558020.htm; 

• Nearly 65 percent of postsecondary 
educational institutions identified theft 
of personal information (SSNs, credit/ 
debit/ATM card, account or PIN 
numbers, etc.) as a high risk area. See 
Table 7, Perceived Risks at http:// 
www. ed u ca u se. ed u/ i r/ 1 i bra ry/ pdf/ 
ecar_so/ers/ers0606/Ekf0606.pdf; and 

• In December 2006, a large 
postsecondary institution alerted some 
800,000 students and others that the 
campus computer system containing 
their names, addresses, and SSNs had 
been compromised. 

The Department's Office of Inspector 
General (Ol G) noted in Final Inspection 
Alert Memorandum dated February 3, 
2006, that the Privacy Rights 
Clearinghouse reported that between 
February 15, 2005, and November 19, 
2005, there were 93 documented 
computer breaches of electronic fi I es 
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involving personal information from 
education records such as SSNs, credit 
card information, and dates of birth. 
Accordi ng to the reported data, 45 
percent of these incidents have occurred 
at col leges and universities nationwide. 
01 G expressed concern that student 
information may be compromised due 
to afailureto implement or administer 
proper security controlsfor information 
systems at postsecondary institutions. 

The Department recognizes that no 
system for maintaining and transmitting 
education records, whether in paper or 
electronic form, can be guaranteed safe 
from every hacker and thief, 
technological failure, violation of 
administrative rules, and other causes of 
unauthorized access and disclosure. 
Although FERPA does not dictate 
requi rements for safeguard i ng education 
records, the Department encourages the 
holders of personally identifiable 
information to consider actions that 
mitigate the risk and are reasonably 
calculated to protect such information. 
Of course, an educational agency or 
institution may use any method, 
combination of methods, or 
technologies it determines to be 
reasonable, taking into consideration the 
size, complexity, and resources 
avail able to the institution; the context 
of the information; the type of 
information to be protected (such as 
social security numbers or directory 
information); and methods used by 
other institutions in similar 
circumstances. The greater the harm 
that would result from unauthorized 
access or disclosure and the greater the 
likelihood that unauthorized access or 
disclosure will be attempted, the more 
protections an agency or institution 
should consider using to ensure that its 
methods are reasonable. 

One resource for administrators of 
electronic data systems is "The National 
Institute of Standards and Technology 
(NIST) 800-100, Information Security 
Handbook: A Guidefor Managers" 
(October 2006). See http://csrc.nist.gov/ 
publications/nistpubs/800-100/SP800- 
100-Mar07-2007.pdf. A second resource 
is NIST 800-53, Information Security, 
which catalogs information security 
controls. See http://csrc.nist.gov/ 
publications/nistpubs/800-53-Revl/800- 
53-revl-final-clean-sz.pdf. Similarly, a 
May 22, 2007, memorandum to heads of 
Federal agencies from the Office of 
Management and Budget requires 
executive departments and agencies to 
ensure that proper safeguards are i n 
place to protect personally identifiable 
information that they maintain, 
eliminate the unnecessary use of SSNs, 
and develop and implement a "breach 
notification policy." This memorandum, 



although directed towards Federal 
agencies, may also serve as a resource 
for educational agencies and 
institutions. See http:// 
www.whitehouse.gov/omb/memoranda/ 
fy2007/m07-16.pdf. 

Finally, if an educational agency or 
institution has experienced a theft of 
files or computer equipment, hacking or 
other intrusion, software or hardware 
malfunction, inadvertent release of data 
to Internet sites, or other unauthorized 
rel ease or d i scl osu re of educati on 
records, the Department suggests 
consideration of one or more of the 
following steps: 

• Report the incident to law 
enforcement authorities. 

• Determi ne exactl y what i nformati on 
was compromised, i.e., names, 
addresses, SSNs, ID numbers, credit 
card numbers, grades, and the like. 

• T ake steps i mmed i atel y to retri eve 
data and prevent any further 
disclosures. 

• Identify all affected records and 
students. 

• Determi ne how the i nci dent 
occurred, including which school 
officials had control of and 
responsibi lity for the information that 
was compromised. 

• Determine whether institutional 
policies and procedures were breached, 
including organizational requirements 
govern i ng access (user names, 
passwords, PINS, etc.); storage; 
transmission; and destruction of 
information from education records. 

• Determine whether the incident 
occurred because of a lack of monitoring 
and oversight. 

• Conduct a risk assessment and 
identify appropriate physical, 
technological, and administrative 
measures to prevent similar incidents in 
the future. 

• Notify students that the 
Department's Offi ce of I nspector 
General mai ntai ns a Web si te descri bi ng 
steps students may take if they suspect 
they are a victim of identity theft at 
http://www.ed.gov/about/offices/list/ 
oig'misused/idtheft.html; and http:// 
www.ed .gov/a bout/ off i ces/ 1 i st/oi g/ 
misused/vi ctim.html. 

FERPA does not requi re an 
educational agency or institution to 
notify students that information from 
their education records was stolen or 
otherwise subject to an unauthorized 
release, although itdoes require the 
agency or institution to maintain a 
record of each disclosure. 34CFR 
99.32(a)(1). (However, student 
notification may be required in these 
circumstances for postsecondary 
institutions under the Federal Trade 
Commi ssi on 's Standards for I nsuri ng 



the Security, Confidentiality, Integrity 
and Protection of Customer Records and 
Information ("Safeguards Rule") in 16 
CFR part 314.) In any case, direct 
student notification may be advisable if 
the compromised data includes student 
SSNs and other identifying information 
that could lead to identity theft. 

Executive Order 12866 

Under Executive Order 12866, the 
Secretary must determine whether this 
regulatory action is "significant" and 
therefore subject to the requirements of 
the Executive Order and subject to 
review by OMB. Section 3(f) of 
Executive Order 12866 defines a 
"significant regulatory action” as an 
action likely to result in a rulethat may 
(1) have an annual effect on the 
economy of $100 million or more, or 
ad versel y affect a sector of the economy, 
productivity, competition, jobs, the 
environment, public health or safety, or 
State, local or tribal governments, or 
communities in a material way (also 
referred to as an "economically 
significant" rule); (2) create serious 
inconsistency or otherwise interfere 
with an action taken or planned by 
another agency; (3) material ly alter the 
budgetary i mpacts of enti tl ement grants, 
user fees, or loan programs or the rights 
and obligations of recipients thereof; or 
(4) raise novel legal or policy issues 
arising out of legal mandates, the 
President's priorities, or the principles 
set forth i n the Executi ve order. The 
Secretary has determined that this 
regulatory action is significant under 
section 3(f)(4) of the Executive order. 

1. Summary of Public Comments 

The Department did not receive any 
comments on the anal ysi s of the costs 
and benefits in the NPRM. However, 
since the publication of the NPRM, we 
have identified several information 
collection requi rements that were not 
identified in the NPRM. We have added 
discussions of the costs and benefits of 
two information collection requirements 
in the following Summary of Costs and 
Benefits. 

2. Summary of Costs and Benefits 

Following isan analysis of the costs 
and benefits of the most significant 
changes to the FERPA regulations. In 
conducting this analysis, the 
Department exami ned the extent to 
which the regulations add to or reduce 
the costs of educational agencies and 
institutions and, where appropriate, 
State educational agencies (SEA s) and 
other State and local educational 
authorities in relation to their costs of 
complying with the FERPA regulations 
prior to these changes. 





Federal Register/ Vol. 73, No. 237/Tuesday, December 9, 2008/ Rules and Regulations 74845 



This analysis is based on data from 
the most recent Digest of Education 
Statistics (2007) published by the 
National Center for Education Statistics 
(NCES), which projects total enrollment 
for Fall 2008 of 49,812,000 students in 
public elementary and secondary 
school sand 18,264,000 students in 
postsecondary institutions; and a total 
of 97,382 public K- 12 schools; 14,166 
school districts; and 6,463 
postsecondary institutions. (Excluded 
are data from private institutions that do 
not receive Federal funding from the 
Department and, therefore, are not 
subject to FERPA.) Based on this 
anal ysi s, the Secretary has concl uded 
that the changes in these regulations 
will not impose significant net costs on 
educational agencies and institutions. 
Analyses of specific provisions follow. 

Alumni Records 

The regulations in § 99.3 clarify the 
current exclusion from the definition of 
education records for records that only 
contain information about an individual 
after he or she is no longer a student, 
which is intended to cover records of 
alumni and similar activities. Some 
i nsti tuti ons have appl i ed thi s excl usi on 
to records that are created after a 
student has ceased attend i ng the 
institution but that are directly related 
to his or her attendance as a student, 
such as investigatory reports and 
settl ement agreements about incidents 
and injuries that occurred during the 
student's enrollment. The amendment 
will clarify that this provision applies 
only to records created or received by an 
educational agency or institution after 
an individual is no longer a student in 
attendance and that are not directly 
related to the individual's attendance as 
a student. 

We bel i eve that most of the more than 
103,845 K-12 schools and 
postsecondary institutions subject to 
FERPA already adhere to this revised 
interpretation in the regulations and 
that for those that do not, the number 
of records affected i s I i kel y to be very 
small. Assuming that each year one half 
of one percent of the 68.1 million 
students enrolled in these institutions 
have one record each affected by the 
change, in the year following issuance 
of the regulations institutions will be 
requi red to try to obtai n written consent 
before releasi ng 350,380 records that 
they would otherwise release without 
consent. We esti mate that for the fi rst 
year contacti ng the affected parent or 
student to seek and process written 
consent for these disclosures will take 
approximately one-half hour per record 
at an average cost of $32.67 per hour for 
a total cost of $5,562,068. 



(Compensation for administrative staff 
time is based on publ ished esti mates for 
2005 from the Bureau of Labor 
Statistics' National Compensation 
Survey of $23.50 per hour pi us an 
average 39 percent benefit load for Level 
8 administrators in education and 
related fields.) 

In terms of benefits, the change will 
protect the privacy of parents and 
students by clarifying the intent of this 
regulatory exclusion and help prevent 
th e u n I awf u I d i sc I osu re of th ese record s. 
It will also provide greater legal 
certainty and therefore some cost 
savings for those agencies and 
institutions that may be required to 
litigate this issue in connection with a 
request under a State open records act 
or other legal proceeding. For these 
reasons, we bel i eve that the overal I 
benefits outweigh the potential costs of 
this change. 

Exclusion of SSNs and ID Numbers 
From Directory Information 

The proposed regulations in § 99.3 
clarified that a student's SSN or student 
ID number is personally identifiable 
information that may not be disclosed as 
directory information under FERPA. 

The final regulations allow an 
educational agency or institution to 
designate and disclose student ID 
numbers as di rectory information if the 
number cannot be used by itself to gai n 
access to education records, i.e. , it is 
used I i ke a name. SSNs may never be 
di scl osed as d i rectory i nformati on . 

The principal effect of this change is 
that educational agencies and 
institutions may not post grades by the 
student's SSN or non-directory student 
ID number and may not include these 
identifiers with directory information 
they disclose about a student, such as a 
student's name, school, and grade level 
or class, on rosters, or on sign-in sheets 
that are made avai I able to students and 
others. (Educational agencies and 
institutions may continue to include 
SSNs and non-di rectory student I D 
numbers on class rosters and schedules 
that are disclosed only to teachers and 
other school officials who have 
legitimate educational interests in this 
information.) 

A class roster or sign-in sheet that 
contai ns or requ i res students to affi x 
their SSN or non-directory student ID 
number makes that information 
availableto every individual who signs 
in or sees the document and increases 
the risk that the information may be 
improperly used for purposes such as 
identity theft or to find out a student's 
grades or other confidential educational 
information. In regard to posting grades, 
an individual who knows which classes 



a particular student attends may be able 
to ascertai n that student's SSN or non- 
di rectory student ID number by 
comparing class lists for repeat 
numbers. Because SSNs are not 
randomly generated, it may be possible 
to identify a student by State of origi n 
based on the first three (area) digits of 
the number, or by date of issuance based 
on the two middledigits. 

The Department does not have any 
actual data on how many class or test 
grades are posted by SSN or non- 
directory student ID number at this 
time, but we believe that the practice is 
rare or non-existent below the 
secondary level. Although the practice 
was once widespread, particularly at the 
postsecondary level, anecdotal evidence 
suggests that as a result of consistent 
training and informal guidance by the 
Department over the past several years, 
together with the increased attention 
States and privacy advocates have given 
to the use of SSNs, many institutions 
now either requi re teachers to usea 
code known only to the teacher and the 
student or prohi bit the posti ng of grades 
entirely. 

The most recent figures avai I abl e from 
the Bureau of Labor Statistics (2007) 
i nd i cate that there are approxi matel y 2.7 
million secondary and postsecondary 
teachers in the United States. As noted 
above, we assume that most of these 
teachers either do not post grades at all 
or al ready use a code known only to the 
teacher or student. We assume further 
that additional costs to del iver grades 
personally in the classroom or through 
electronic mail, instead of posting, will 
be minimal. For purposes of this 
anal ysi s, we esti mate that no more than 
five percent of 2.7 million, or 135,000 
teachers, conti nue to post grades by SSN 
or non-directory student ID number and 
thus will need to convert to a code, 
which will requ ire them to spend an 
average of one-half hour each semester 
establishing and managing grading 
codes for students. Si nee we do not 
know how many teachers at either 
education level will continue to post 
grades, and wages for postsecondary 
teachers are higher than secondary 
teacher wages, we use postsecondary 
teacher wages to ensure that the 
esti mate encompasses the upper limitof 
possi bl e costs. Using the Bureau of 
Labor Statistics' published esti mate of 
average hourly wages of $42.98 for 
teachers at postsecondary institutions 
and an average 39 percent load for 
benefits, we esti mate an average cost of 
$59.74 per teacher per year, for a total 
of $8,064,900. Parents and students 
should incur no costs except for the 
ti me they might have to spend to 
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contact the school official if they forget 
the student's gradi ng code. 

This change will benefit parents and 
students and educational agencies and 
institutions by reducing the risk of 
identity theft associated with posting 
grades by SSN, and the risk of 
disclosing grades and other confidential 
educational information caused by 
posti ng grades by a non-di rectory 
student ID number. It is difficult to 
quantify the val ue of reduci ng the ri sk 
of identity theft. According to the 
Federal Trade Commission, however, 
for the past few years over one-third of 
complaints filed with that agency have 
been for identity theft. According to the 
Better Business Bureau, identity theft 
costs businesses nearly $57 billion in 
2006, w h i I e vi cti ms spent an average of 
40 hours resolving identity theft issues. 
Itiseven more difficult to measure the 
benefits of enhanced privacy protections 
for student grades and other 
confidential educational information 
from education records because the 
value individuals place on the privacy 
of this information varies considerably 
and because we are unable to determine 
how often it happens. Therefore, we 
have no basi s to esti mate the val ue of 
these enhanced privacy protections in 
rel ati on to the expected costs to 
i mplement the changes. 

Prohibit Use of SSN To Confirm 
Directory Information 

The regulations will prevent an 
educational agency or institution (or a 
contractor providing services for an 
agency or institution) from using a 
student's SSN (or other non-directory 
information) to identify the student 
when rel easi ng or confi rmi ng d i rectory 
information. This occurs, for example, 
when a prospective employer or 
insurance company telephones an 
institution or submits an inquiry 
through the institution's Web site to 
find out whether a particular individual 
is enrol led in or has graduated from the 
institution. Whilethis provision will 
apply to educational agencies and 
institutions at all gradelevels, we 
believe that it will affect mainly 
postsecondary institutions because K- 
12 agencies and institutions typically do 
not provide enrollment and degree 
verification services. 

A survey conducted in March 2002 by 
the A meri can A ssoci ati on of Col I egi ate 
Registrars and Admissions Officers 
(AACRAO) showed that nearly half of 
postsecondary institutions used SSNs as 
the pri mary means to track students i n 
academic databases. Si nee then, use of 
SSNs as a student identifier has 
decreased significantly in response to 
public concern about identity theft. 



While postsecondary institutions may 
continue to collect students' SSNsfor 
financial aid and tax reporting purposes, 
many have ceased using the SSN as a 
student identifier either voluntarily or 
in compliance with State I aws. A I so, 
over the past several years the 
Department has provided training on 
this issue and published on the Office 
Websitea 2004 letter findinga 
postsecondary institution in violation of 
FERPA when its agent used a student's 
SSN, without consent, to search its 
database to verify that the student had 
received a degree, www.ed.gov/policy/ 
gen/guid/fpco/ferpa/l i brary / 
auburnuniv.html. Given these 
ci rcumstances, we esti mate that 
possibly one-quarter of the nearly 6,463 
postsecondary institutions in the United 
States, or 1,616 institutions, may ask a 
requester to provide the student's SSN 
(or non-directory student ID number) in 
order to locate the record and respond 
to an inquiry for directory information. 

Under the regulations an educational 
agency or institution that identifies 
students by SSN (or non-directory 
student ID number) when releasing 
directory information will either have to 
ensure that the student has provided 
written consent to disclose the number 
to the requester, or rely solely on a 
student's name and other properly 
designated directory information to 
identify the student, such as address, 
date of bi rth, dates of enrol I ment, year 
of graduation, major field of study, 
degree received, etc. Costs to an 
institution of ensuring that students 
have provided written consent for these 
disclosures, for example by requiring 
the requester to fax copies of each 
written consent to the institution or its 
contractor, or making arrangements to 
receive them electronically, could be 
substantial for large institutions and 
organ i zati ons that uti I i ze el ectroni c 
recordkeepi ng systems. Institutions may 
choose instead to conduct these 
verifications without using SSNs or 
non-directory student IDs, which may 
make it more difficult to ensure that the 
correct student has been identified 
because of the known problems in 
matching records without the use of a 
universal identifier. Increased 
institutional costs either to verify that 
the student has provided consent or to 
conduct a search without use of SSNs or 
non-directory student ID numbers 
should be I ess for smaller institutions, 
where the chances of dupl icate records 
are decreased. Parents and students may 
incur additional costs if an employer, 
insurance company, or other requester 
is unable to verify enrollment or 
graduation based solely on directory 



information, and written consent for 
disclosure of the student's SSN or non- 
directory student ID number is required. 
Due to thedifficulty in ascertaining 
actual costs associated with these 
transactions, we have no basis to 
esti mate costs that educational agencies 
and institutions and parents and 
students will incur as a result of this 
change. 

The enhanced privacy protections of 
this amendment will benefit students 
and parents by reducing the risk that 
third parties will disclose a student's 
SSN without consent and possibly 
confirm a questionable number for 
purposes of identity theft. Similarly, 
preventing institutions from implicitly 
confirming a questionable non-directory 
student I D number will hel p prevent 
unauthorized individualsfrom 
obtaining confidential information from 
education records. In evaluating the 
benefits or value of this change, we note 
that this provision does not affect any 
activity that an educational agency or 
institution is permitted to perform 
under FERPA or other Federal law, such 
as using SSNs to identify students and 
confirm their enrol I ment status for 
student loan purposes, which is 
permitted without consent under the 
financial aid exception in § 99.31. 

User ID for Electronic Communications 

The regulations will allow an 
educational agency or institution to 
d i scl ose as d i rectory i nformati on a 
student's I D number, user I D or other 
electronic identifier so long as the 
identifier functions I ike a name; that is, 
it cannot be used without a PIN, 
password, or some other authentication 
factor to gai n access to education 
records. This change will impose no 
costs and will provide benefits in the 
form of regulatory relief allowing 
agencies and institutions to use 
directory services in electronic 
communications systems without 
i ncurri ng the ad mi ni strati ve costs 
associated with obtaining student 
consent for these di scl osu res. 

Costs related to honoring a student's 
decision to opt out of these disclosures 
will be minimal because we assume that 
only a small number of students will 
elect not to parti ci pate i n electronic 
communi cations at thei r school . 
Applying thischange to records of both 
K-12 and postsecondary students and 
assumi ng that one-tenth of one percent 
of parents and eligible students will opt 
out of these d i scl osu res, we esti mate 
that institutions will have to flag the 
records of approximately 68,000 
students for opt-out purposes. We lack 
sufficient data on costs institutions 
currently incur to flag records for 
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directory information opt-outs for other 
purposes, so we are unable to estimate 
the administrative and information 
technology costs institutions will incur 
to process these new directory 
information opt-outs resulting from this 
change. 

Student Anonymity in the Classroom 

The final regulations will ensure that 
parents and students do not use the 
ri ght to opt out of d i rectory i nformati on 
disclosures to remain anonymous in the 
classroom, by clarifying that opting out 
does not prevent disclosure of the 
student's name, institutional e-mail 
address, or electronic identifier in the 
student's physical or electronic 
cl assroom. We esti mate that this change 
will result in a small net benefit to 
educational agencies and institutions 
because they will have greater I egal 
certai nty about the element of classroom 
administration, and itwill reduce the 
institutional costs of responding to 
complai nts from students and parents 
about the rel ease of th i s i nformati on . 

Disclosing Education Records to New 
School and to Party Identified as 
Source Record 

The final regulations in § 99.31(a)(2) 
will allow an educational agency or 
institution to disclose education 
records, or personally identifiable 
information from education records, to 
a student's new school even after the 
student i s al ready attendi ng the new 
school so long as the disclosure relates 
to the student's enrol I ment i n the new 
school. This change will provide 
regulatory relief by reducing legal 
uncertai nty about how long a school 
may conti nue to send records or 
information to a student's new school, 
without consent, under the "seeks or 
intends to enroll" exception. 

The amendment to the definition of 
disclosure in § 99.3 will allow a school 
that has concerns about the val idity of 
a transcript, letter of recommendation, 
or other record to return these 
documents (or personally identifiable 
information from these documents) to 
the student's previous school or other 
party identified as the source of the 
record in order to resolve questions 
about their validity. Combined with the 
change to § 99.31(a)(2), discussed earlier 
in thisanalysis, thischange will also 
al I ow the student's previ ous school to 
continue to send education records, or 
clarification about education records, to 
the student's new school in response to 
questions about the validity or meaning 
of records sent previously by that party. 
Weareunableto determine how much 
itwill cost educational agencies and 
institutions to return potentially 



fraudulent documents to the party 
identified as the sender because we do 
not have any basis for esti mati ng how 
often this occurs. However, we believe 
that these changes will provide 
si gn i f i cant regu I atory rel i ef to 
educational agencies and institutions by 
hel pi ng to reduce transcri pt and other 
educational fraud based on falsified 
records. 

Outsourcing 

The regulations in § 99.31(a)(l)(i) will 
allow educational agencies and 
institutions to disclose education 
records, or personally identifiable 
information from education records, 
without consent to contractors, 
volunteers, and other non-employees 
performing institutional services and 
functions as school officials with 
legitimate educational interests. An 
educational agency or institution that 
uses non -employees to perform 
institutional service and functions will 
have to amend its annual notification of 
FERPA rights to include these parties as 
school officials with legitimate 
educational interests. 

This change will provide regulatory 
relief by permitting, and clarifying the 
conditions for, non -con sensual 
disclosure of education records. Our 
experi ence suggests that vi rtual I y al I of 
the more than 103,000 schools subject to 
FERPA will take advantage of this 
provision. We have no actual data on 
how many school districts publish 
annual FERPA notifications for the 
97,382 K-12 public schools included in 
this total and, therefore, how many 
enti ti es w i 1 1 be affected by th i s 
requirement. However, because 
educational agencies and institutions 
were already required under previous 
regulations to publish a FERPA 
notification annually, we believe that 
costs to include this new information 
will be minimal. 

Access Control and T racking 

The regulations in § 99.31(a)(1)(H) 
will require an educational agency or 
institution to use reasonable methods to 
ensure that teachers and other school 
officials obtai n access to only those 
education records in which they have 
legitimate educational interests. This 
requirement will apply to records in any 
format, including computerized or 
electronic records and paper, film, and 
other hard copy records. An educational 
agency or institution that chooses not to 
restrict access to education records with 
physical or technological controls, such 
as locked cabi nets and role-based 
software security, must ensure that its 
ad mi n i strati ve pol i cy for control I i ng 
access i s effecti ve and that i t remai ns i n 



compliance with the legitimate 
educational interest requirement. 

Administrative experience has shown 
that schools that allow teachers and 
other school officials to have 
unrestricted access to education records 
tend to have more problems with 
unauthorized disclosures, such as 
school officials obtaining access to 
education records for personal rather 
than professional reasons. Preventing 
unrestricted access to education records 
by teachers and other school officials 
will benefit parents and students by 
hel pi ng to ensure that educati on records 
are used only for legitimate educational 
purposes. Itwill also help ensure that 
education records are not accessed or 
disclosed inadvertently. 

Information gathered by the Director 
of the Office at numerous FERPA 
training sessions and seminars, along 
with recent discussions with software 
vendors and educational organizations, 
indicates that the vast majority of mid- 
and large-size school districts and 
postsecondary institutions currently use 
commercial software for student 
information systems. These systems 
generally include role-based security 
features that al low administrators to 
control access to specific records, 
screens, or fields according to a school 
offi ci al 's duti es and responsi bi I i ti es. 
These systems also typical I y contai n 
transactional logging features that 
document or track a user's actual access 
to particular records, which will help 
ensure that an agency's or institution's 
access control methods are effective. 
Educational agencies and institutions 
that al ready have these systems will 
incur no additional costs to comply 
with the regulations. 

For purposes of thisanalysis we 
excluded from a total of 14,166 school 
districts and 6,463 postsecondary 
institutions those with more than 1,000 
students, for a total of 6,887 small K-12 
districts and 3,906 small postsecondary 
institutions that may not have software 
with access control security features. 
The discussions that the Director of the 
Office has had with numerous SEAs and 
local districts suggest that the vast 
majority of these small districts and 
institutions do not make education 
records avail able to school officials 
electronically or by computer but 
i nstead use some system of 
administrative and physical controls. 

We esti mate for this analysis that 15 
percent, or 1,619, of these small districts 
and institutions use home-built 
computerized or electronic systems that 
may not have the role-based security 
features of commercial software. The 
most recent publ i shed esti mate we have 
for software costs comes from the f i nal 
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Standards for Privacy of Individually 
Identifiable Health Information under 
the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA 
Privacy Rule) published by the 
Department of Health and Human 
Services (HHS) on December 28, 2000, 
which estimated that the initial per- 
hospital cost of software upgrades to 
track the disclosure of medical records 
would be $35,000 (65 FR 82768). We 
assume that costs will be comparabl e for 
education records, and, as discussed 
above, software that tracks d i scl osu re 
history can also be used to control or 
restrict access to electronic records. 
Based on these assumptions, if 1,619 
small K- 12 districts and postsecondary 
institutions decide to purchase student 
information software rather than rely on 
administrative policies to comply with 
the regulations, they will incur 
estimated costs of $56,665,000. We 
esti mate that the remain i ng 9,174 smal I 
districts and institutions will not 
purchase new software because they do 
not make education records avai I able 
electronically and rely instead on less 
costly administrative and physical 
methods to control access to records by 
school officials. Those that provide 
school officials with open access to hard 
copy education records may incur new 
costs to track actual di scl osures to hel p 
ensure that they remain in compliance 
with legitimate educational interests 
requi rements. We assume that these 
districts and institutions may devote 
some additional ad mi ni strati ve staff 
time to procedures such as keeping logs 
of school officials who access records. 
However, no rel iable esti mates exist for 
the average number of teachers and 
other school officials who access 
education records or the number of 
ti mes access is sought, so we are unable 
to esti mate the cost of restri cti ng or 
tracking actual disclosures of hard copy 
education records to school officials. 

Education Research 

The regulations in § 99.31(a)(6)(ii)(C) 
requi re an educational agency or 
institution to enter into a written 
agreement before disclosing personally 
identifiable information from education 
records, without consent, to 
organizationsconducting studies for, or 
on behalf of, the educational agency or 
institution to: (a) Develop, validate, or 
administer predictive tests; (b) 
administer student aid programs; or (c) 
improve instruction. The written 
agreement must specify the purpose or 
purposes, scope, and duration of the 
study or studies and the information to 
bedisclosed, require the organization to 
conduct the study i n a manner that does 
not permit personal identification of 



parents and students by anyone other 
than represen tati ves of the organ i zati on 
with legitimate interests, require the 
destruction or return of the information 
to the educational agency or institution 
when the study is completed, and 
specify the time period for destruction 
or return of the information. We believe 
that the additional cost of entering into 
written agreements to comply with this 
change is unlikely to be significant 
because most educational agencies and 
institutions al ready specify the terms 
under which personally identifiable 
information can be used when it is 
disclosed to organizations for these 
types of studies. Although this change 
will create an additional information 
collection requirement, we believe the 
benefits of the written agreement 
outweigh the costs, because it will 
ensure better compliance with FERPA 
and provide clarity for both researchers 
and educational agencies and 
institutions about the restrictions and 
use of personally identifiable 
information disclosed under 
§ 99.31(a)(6) for studies. 

Identification and Authentication of 
Identity 

The regulations in § 99.31(c) require 
educational agencies and institutions to 
use reasonable methods to identify and 
authenticate the identity of parents, 
students, school officials and other 
parties to whom the agency or 
institution discloses personally 
identifiable information from education 
record s. T h e u se of w i d el y avai I abl e 
information to authenticate identity, 
such as the red pient's name, date of 
birth, SSN or student ID number, is not 
considered reasonable under the 
regulations. 

The regulations will impose no new 
costs for educational agencies and 
i nsti tuti ons that d i scl ose hard-copy 
records through theU.S. postal service 
or private delivery services with use of 
the recipient's name and last known 
official address. 

We were unable to find rel iable data 
that would allow us to esti mate the 
additional administrative time that 
educational agencies and institutions 
will spend checking photo ID against 
school records or using other reasonable 
methods, as appropriate, to identify and 
authenticate the identity of students, 
parents, and other parties to whom the 
agency or institution discloses 
education records in person. 

Authentication of identity for 
electronic or telephonic access to 
education records involves a wider 
array of security options because of 
continuing advances in technologies, 
but is not necessarily more costly than 



authentication of identity for hard-copy 
records. We assume that educational 
agencies and institutions that require 
users to enter a secret password or PIN 
to authenticate identity will deliver the 
password or PIN through theU.S. postal 
service or in person. We esti mate that 
no new costs will be associated with 
this process because agencies and 
institutions already have direct contact 
with parents, eligible students, and 
school officials for a variety of other 
purposes and will use these 
opportunities to deliver a secret 
authentication factor. 

As noted in the preamble to the 
NPRM, 73 FR 15585, single-factor 
authentication of identity, such as a 
standard form user name combined with 
a secret password or PIN, may not 
provide reasonable protection for access 
to al I types of education records or 
under ail circumstances. We lack a basis 
for esti mati ng costs of authenticati ng 
identity when educational agencies and 
institutions allow authorized users to 
access sensitive personal or fi nancial 
information in electronic recordsfor 
which single-factor authentication 
would not be reasonable. 

Redisclosure and Recordkeeping 

The regulations allow the officials and 
agencies listed in § 99.31(a)(3) (theU.S. 
Comptroller General, the U.S. Attorney 
General, the Secretary, and State and 
local educational authorities) to 
redisclose education records, or 
personally identifiable information from 
education records, without consent 
under the same conditions that apply 
currently to other recipients of 
education records under § 99.33(b). This 
change provides substantial regulatory 
relief to these parties by allowing them 
to redisclose information on behalf of 
educational agencies and institutions 
under any provision in § 99.31(a), which 
allows disclosure of education records 
without consent. For example, States 
will be able to consolidate K- 16 
education records under the SEA or 
State higher educational authority 
without having to obtain written 
consent under § 99.30. Parties that 
currently request access to records from 
individual school districts and 
postsecondary institutions will in many 
i nstances be abl e to obtai n the same 
information in a more cost-effective 
manner from the appropriate State 
educational authority or the 
Department. 

In accordance with the current 
regulations in § 99.32(b), an educational 
agency or institution must record any 
redisclosure of education records made 
on its behalf under § 99.33(b), including 
the names of the additional parties to 
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which the receiving party may 
redisclose the information and their 
legitimate interests or basisforthe 
disclosure without consent under 
§ 99.31 in obtaining the information. 

The regulations require SEAs and other 
State educational authorities (such as 
higher education authorities), the 
Secretary, and other officials or agencies 
listed in § 99.31(a)(3) that make further 
disclosures on behalf of an educational 
agency or institution to maintain the 
record of redisclosure required under 
§ 99.32(b) if the educational agency or 
institution has not recorded the 
redisclosure or if the information was 
obtained from another State or Federal 
official or agency listed in § 99.31(a)(3). 
The regulations also require the State or 
Federal official or agency listed in 
§ 99.31(a)(3) to provide a copy of its 
record of redisclosures to the 
educational agency or institution upon 
request. In addition, an educational 
agency or institution must maintain 
with each student's record of 
disclosures the names of State and local 
educational authorities and Federal 
official sand agencies that may make 
further disclosures from the student's 
records without consent under 
§ 99.33(b) and must obtai n a copy of the 
record of redisclosure, if any, 
maintained by the State or Federal 
official that redisclosed information on 
behalf of the agency or institution. 

State educational authorities and 
Federal officials listed in § 99.31(a)(3) 
will incur new administrative costs if 
they maintain the record of redisclosure 
for the educational agency or institution 
on whose behalf they redisclose 
education records under the regulations. 
We esti mate that two educational 
authorities or agencies in each State and 
the District of Columbia (one for K-12 
and one for postsecondary) and the 
Department itself, for a total of 103 
authorities, will maintain the required 
records of red i scl osu res. (W e anti ci pate 
that educational agencies and 
institutions will record under 
§ 99.32(b)(1) any further disclosures 
made by the other Federal officials 
listed in § 99.31(a)(3), theU.S. 

Comptrol ler General and the U .S. 
Attorney General .) We esti mate further 
that these authorities will need to record 
two redisclosures per year from their 
records and that it will take one hour of 
administrative time to record each 
red i scl osu re el ectron i cal I y at an average 
hourly rate of $32.67, for a total annual 
administrative cost of $6,730. 
(Compensation for administrative staff 
time is explained earlier in this 
analysis.) Wealso assume for purposes 
of this analysis that State educational 



authorities and the Department al ready 
have software that will al I ow them to 
record these d i scl osu res el ectron i cal I y . 

State educational authorities and 
Federal officials that maintain records of 
redisclosures will also have to makethat 
i nformati on avai I abl e to the ed ucati onal 
agency or institution whose records 
were redisclosed, upon request, so that 
the agency or institution can makethat 
record avai I abl e to a parent or el i gi bl e 
student who has asked to i nspect and 
review the student's record of 
disclosures. We assume that few parents 
and students request this information 
and, therefore, use an esti mate that one 
tenth of one percent of a total of 68.1 
million students will make such a 
request each year, or 68,076 requests. If 
it takes one-quarter of an hour to locate 
and print a record of disc I osu res at an 
average administrative hourly rate of 
$32.67, the average annual 
administrative cost for State and Federal 
official sand agencies to provide this 
service will be $556,011, pi us mailing 
costs (at $.42 per letter) of $28,592, for 
a total of $584,603. We esti mate that 
educational agencies and institutions 
themsel ves wi 1 1 i ncur comparabl e costs 
when they ask State and Federal 
officials to send them these records of 
redisclosure and then make them 
availableto parents and students. We 
note that pri nti ng and mai I i ng costs may 
be reduced to the extent that e-mail is 
used to transmit the record, and if 
parents or students pick up the record 
on-site, but we do not have information 
to esti mate these potenti al savi ngs. 

The Department bel i eves that these 
changes will result in a net benefit to 
educational agencies and institutions 
because they will not have to record 
further disclosures made by State and 
Federal authorities and officials who 
redisclose information from education 
records on thei r behalf and will not 
have to ask for a copy unless a parent 
or eligible student asks to inspect and 
review the student's record of 
disclosures. State and Federal 
authorities and officials will also benefit 
because they will not have to provide 
their record of further disc I osu res to 
anyone unless the educational agency or 
institution asks for a copy. Overal I, the 
costs to State and Federal authorities to 
record theirown redisclosures will be 
offset by the savi ngs that educational 
agencies and institutions will realize by 
not having to record the disclosures 
themselves. 

Notification of Compliance With Court 
Order or Subpoena 

The regulations in § 99.33(b)92) 
require any party that rediscl oses 
education records in compliance with a 



court order or subpoena under 
§ 99.31(a)(9) to provide the notice to 
parents and eligible students required 
under § 99.31(a)(9)(ii). We anticipate 
that this provision will affect mostly 
State and local educational authorities, 
which maintain education records they 
have obtai ned from thei r constituent 
districts and institutions and, under 
§ 99.35(b), may redisclose the 
information, without consent, in 
compliance with a court order or 
subpoena under § 99.31(a)(9). 

There is no change in costs as a result 
of shifting responsi bility for notification 
to the disclosing party under this 
change. Flowever, we believe that 
minimizing or eliminating uncertainty 
about which party is legally responsible 
for the notification will result in a net 
benefit to all parties. 

Health or Safety Emergency 

The regulations in § 99.32(a)(5) 
require that a school that discloses 
information under the health and safety 
emergency exception in § 99.36 record 
the arti cu I abl e and si gn i f i cant threat 
that formed the basis for the disclosure 
and the parties to whom the education 
records were disclosed. Because 
§ 99.32(a) already requires schools to 
record disclosures made under § 99.36, 
including the legiti mate interests the 
parties had in requesting or obtaining 
the information, we believe these 
changes will not create any significant 
additional administrative costs for 
school sand that the benefit of including 
the I egi ti mate i nterests the parti es had 
in requesting or obtaining the 
information outweighs the costs. 

Directory Information Opt Outs 

The regulations in § 99.37(b) clarify 
that while an educational agency or 
institution is not required to notify 
former students under § 99.37(a) about 
the institution's directory information 
policy or allow former students to opt 
out of d i rectory i nformati on d i scl osu res, 
they must continue to honor a parent's 
or student's decision to opt out of 
directory information disclosures after 
the student leaves the institution. Most 
agencies and institutions should already 
comply with this requirement because 
of informal guidance and training 
provided by FPCO. 

Parents and students will benefit from 
this clarification because itwill help 
ensure that schools do not invalidate the 
parent's or student's decisions on 
directory information disclosures after 
the student is no longer in attendance. 
Itwill also benefit schools by 
eliminating any uncertainty they may 
have about whether they must conti nue 
to honor an opt out once the student i s 
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no longer in attendance. We have 
insufficient information to estimate the 
number of institutions affected and the 
additional costs involved in changing 
systems to mai ntai n opt-out fl ags on 
education records of former students. 

Paperwork Reduction Act of 1995 

Following publication of the NPRM, 
we provided, through a notice 
published in the Federal Register (73 
FR 28810, May 19, 2008) opportunity 
for the publ ic to comment on 
information collections in the current 
regulations, and indicated in that notice 
the pendency of the NPRM. 
Additionally, based on comments 
received in response to the NPRM, we 
have identified several information 
collection requirements associated with 
these regulations. We describe these 
information collections in the foil owing 
paragraphs and will be submitting these 
sections to OM B for review and 
approval . We note that the Paperwork 
Reduction Act of 1995 does not require 
a response to these information 
collection requirements uni ess they 
display a valid OM B control number. A 
valid OMB control numberwill be 
assigned to the i nformation col lection 
requ i rements at the end of the affected 
sections of the regulations. 

(1) § 99.31(a)(6)(ii) 

FERPA permits an educational agency 
or institution to disclose personally 
identifiable information from education 
records, without consent, to 
organizationsconducting studies for or 
on behalf of the agency or institution for 
purposes of testi ng, student aid, and 
improvement of instruction. In the 
NPRM, we proposed to add 
§ 99.31(a)(6)(ii) to require that an 
educational agency or institution to 
disclose personally identifiable 
information under § 99.31(a)(6)(i) only if 
it enters i nto a written agreement with 
the organization specifyi ng the purposes 
of the study. U nder these fi nal 
regulations, this written agreement must 
specify the purpose, scope, and duration 
of the study or studies and the 
information to bedisclosed; require the 
organization to use personally 
identifiable information from education 
records only to meet the purpose or 
purposes of the study as stated i n the 
written agreement; require the 
organization to conduct the study in a 
manner that does not permit personal 
identification of parents and students by 
individuals other than representatives 
with legitimate interest of the 
organization that conducts the study; 
requ i re the organization to destroy the 
information or return to the educational 
agency or institution when it is no 



longer needed for the purposes for 
which the study was conducted; and 
specify the time period for the 
destruction or return of the information. 

The Department did not identify in 
the NPRM the requirement in 
§ 99.31(a)(6)(H) as an information 
collection requirement under the 
Paperwork Reduction Act of 1995 and 
did not realize this would bean 
information collection requirement until 
a commenter brought this matter to our 
attention. The commenter pointed out 
that, while this change created another 
paperwork burden for school districts, 
the commenter did not object to the 
written agreement requirement because 
putti ng the requ i rements regard i ng the 
use and destruction of data in writing 
may improve compliance with FERPA. 
The Department agrees with the 
comment. 

(2) § 99.32(a)(1) 

Under FERPA, an educational agency 
or institution is required to record its 
disclosures of personally identifiable 
information from education records, 
even when it discloses information to its 
own State educational authority. This 
statutory requirement is reflected in the 
current FERPA regulations. Thefinal 
regulations permit the State and local 
educational authorities and Federal 
officials listed in § 99.31(a)(3) to make 
further discloses of personally 
identifiable information from education 
records on behalf of the educational 
agency or institution in accordance with 
the requirements of § 99.33(b) and 
require them to record these further 
disclosures of § 99.33(b) if the 
educational agency or institution does 
not do so. We have included provisions 
in the final regulations that require 
educational agencies and institutions to 
maintain a listing in each student's 
record of the State and local educational 
authorities and Federal officials and 
agenci es that may make further 
di scl osures of the student's educati on 
records without consent so that parents 
and eligible students will be made 
aware of these further disclosures. 

(3) § 99.32(a)(4) 

Under this new provision, parents 
and eligible students will beableto 
inspect and review any further 
disclosures that were made by any of 
the parties listed under § 99.31(a)(3) by 
asking the educational agency or 
institution to obtai n a copy of the record 
of further disclosures. We believe that 
this is only a minor paperwork burden 
for schools because it would involve 
asking officials to whom they have 
disclosed education records for the 
record of further disclosure or, in the 



case of some SEAs, accessi ng the State 
database for this information. Also, we 
do not expect that a large number of 
parents and eligible students will ask to 
seethe record of further disclosures. 

(4) § 99.32(a)(5) 

Duri ng the devel opment of the f i nal 
regulations, we identified another 
change to the recordation requ i rements 
of § 99.32 that would require the 
collection of information. In response to 
several comments we received regarding 
changes to FERPA's "health or safety 
emergency exception" in § 99.36, we 
have amended § 99.32(a) to i ncl ude a 
new recordation requirement. 
Specifically, we have added a paragraph 
to the recordation requi rement that 
requires that for any disclosures under 
§ 99.36 a school must record the 
arti cu I abl e and si gn i fi cant th reat to the 
health or safety of a student or other 
individuals that formed the basis for the 
disclosure and the parties to whom the 
agency or institution disclosed 
information. 

T he Sec retary bel i eves th at th i s i s 
only a minor paperwork burden for 
school s because school s are al ready 
required to record disclosures made 
under § 99.36. The new language in 
§ 99.32(a)(5) simply clarifies the type of 
information that must be recorded when 
a school discloses personally 
identifiable information in response to a 
health or safety emergency, either for 
one student or for al I students i n a 
school . 

(5) § 99.32(b)(2) 

In the NPRM, we specifically noted 
that the Department was interested in 
relieving any administrative burdens 
associated with recording disci osures of 
education records and, therefore, 
invited public comment on whether an 
SEA, the Department, or other authority 
or official listed in § 99.31(a)(3) should 
be al I owed to mai ntai n the record of the 
redisclosures it makes on behalf of an 
educational agency or institution under 
§ 99.32(b). 

Several commenters stated that an 
SEA (or other authority or official listed 
in § 99.31(a)(3)) should be responsible 
for maintaining the record of disclosure 
required under § 99.32 when it 
rediscloses information on behalf of 
educational agencies and institutions. 
The commenters stated that requiring 
each educational agency or institution, 
such as school districts, to record each 
redisclosure made by an SEA or other 
State educational authority on its behalf 
imposes an unacceptable recordkeeping 
burden on school districts and is 
impractical for State educational 
authorities to adhere to in making 
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further disclosures on behalf of the 
agency or institution. In response to 
these comments, we are revi si ng § 99.32 
to require the State and local 
educational authorities and Federal 
officials listed in § 99.31(a)(3) to 
mai ntai n the record of further 
disclosures if the educational agency or 
institution does not do so and make it 
avai I able to the educational agency or 
institution upon request. Weagreethat 
by requiring State and Federal 
authorities and officials to record their 
redisclosures in these circumstances 
school districts will have less total 
paperwork burden because schools will 
not have to comply with the 
recordkeeping requirement in these 
instances. 

Assessment of Educational Impact 

In the NPRM, and in accordance with 
section 411 of the General Education 
Provisions Act, 20 U.S.C. 1221e-4, we 
requested comments on whether the 
proposed regulations would require 
transmission of information that any 
other agency or authority of the United 
States gathers or makes avai I able. 

Based on the response to the NPRM 
and on our review, we have determined 
that these final regulations do not 
require transmission of information that 
any other agency or authority of the 
United States gathers or makes 
available. 

Electronic Access to This Document 

You may view this document, as well 
as al I other Department of Education 
documents published in the Federal 
Register, i n text or Adobe Portable 
Document Format (PDF) on the Internet 
at th e f o 1 1 o w i n g si te: ww w. ed . go v/ n ews/ 
fed register. 

To use PDF you must have Adobe 
Acrobat Reader, which is avai I able free 
at this site. If you have questions about 
using PDF, call theU.S. Government 
Printing Office (GPO), toll free, at 1- 
888-293-6498; or in the Washington, 

DC area at (202) 512- 1530. 

Note: Theofficial version of this document 
is the document published in the Federal 
Regi ster. F ree I nternet access to the offi ci al 
edition of the Federal Register and the Code 
of Federal Regulations is avai I able on GPO 
Access at www.gpoaccess.gov/nara/ 
index.html. 

(Catalog of Federal Domestic Assistance 
Number does not apply.) 

List of Subjects in 34 CFR Part 99 

Administrative practice and 
procedure, Directory information, 
Education records, Information, Parents, 
Privacy, Records, Social Security 
Numbers, Students. 



Dated: December 2, 2008. 

Margaret Spellings, 

Secretary of Ed ucati on . 

■ For the reasons discussed in the 
preamble, the Secretary amends part 99 
of title 34 of the Code of Federal 
Regulations as follows: 

PART 99— FAMILY EDUCATIONAL 
RIGHTS AND PRIVACY 

■ 1. The authority citation for part 99 
continues to read as follows: 

Authority: 20 U.S.C. 1232g, unless 
otherwise noted. 

■ 2. Section 99.2 isamended by revising 
the note following the authority citation 
to read as follows: 

§ 99.2 What is the purpose of these 
regulations? 

Note to § 99.2: 34 CFR 300.610 through 
300.626 contai n requi rements regardi ng the 
confidentiality of information relating to 
children with disabilities who receive 
evaluations, services or other benefits under 
PartB of the Individuals with Disabilities 
Education Act (IDEA). 34 CFR 303.402 and 
303.460 identify the confidentiality of 
information requirements regarding children 
and infants and toddlers with disabilities and 
thei r fami I i es who receive eval uati ons, 
services, or other benefits under Part C of 
IDEA. 34 CFR 300.610 through 300.627 
contain the confidentiality of information 
requi rements that apply to personal I y 
identifiable data, information, and records 
collected or maintained pursuant to Part B of 
the IDEA. 

■ 3. Section 99.3 isamended by: 

■ A. Adding, in alphabetical order, a 
definition of Biometric record. 

■ B. Revisingthedefinitionsof 
Attendance, Directory information, 
Disclosure, and Personally identifiable 
information. 

■ C. In thedefinition of Education 
records, revising paragraph (b)(5) and 
adding a new paragraph (b)(6). 

These additions and revisions read as 
fol I ows: 

§ 99.3 What definitions apply to these 
regulations? 

Attendance includes, but is not 
limited to— 

(a) Attendance in person or by paper 
correspondence, videoconference, 
satellite, Internet, or other electronic 
information and telecommunications 
technologies for students who are not 
physically present in the classroom; and 

(b) The period during which a person 
is working under a work-study program. 

(Authority: 20 U.S.C. 1232g) 

Biometric record, as used in the 
definition of personally identifiable 



information, means a record of one or 
more measurable biological or 
behavioral characteristics that can be 
used for automated recognition of an 
individual. Examples include 
fingerprints; retina and iris patterns; 
voiceprints; DNA sequence; facial 
characteristics; and handwriting. 

(Authority: 20 U.S.C. 1232g) 

Directory information means 
information contained in an education 
record of a student that would not 
generally be considered harmful or an 
invasion of privacy if disclosed. 

(a) Directory information includes, 
but is not I imited to, the student's name; 
address; telephone listing; electronic 
mail address; photograph; date and 
place of birth; major field of study; 
grade level; enrol Iment status (e.g., 
undergraduate or graduate, full-time or 
part-time); dates of attendance; 
participation in officially recognized 
activities and sports; weight and height 
of members of athletic teams; degrees, 
honors and awards received; and the 
most recent educational agency or 
institution attended. 

(b) Directory information does not 
i ncl ude a student's— 

(1) Social security number; or 

(2) Student identification (ID) 
number, except as provided in 
paragraph (c) of this section. 

(c) Directory information includes a 
student I D number, user I D, or other 
unique personal identifier used by the 
student for purposes of accessi ng or 
communicating in electronic systems, 
but only if the identifier cannot be used 
to gain access to education records 
except when used in conjunction with 
one or more factors that authenti cate the 
user's identity, such as a personal 
identification number (PIN), password, 
or other factor known or possessed only 
by the authorized user. 

(Authority: 20 U.S.C. 1232g(a)(5)(A )) 

Disclosure means to permit access to 
or the release, transfer, or other 
communication of personally 
identifiable information contained in 
education records by any means, 
including oral, written, or electronic 
means, to any party except the party 
identified as the party that provided or 
created the record. 

(Authority: 20 U.S.C. 1232g(b)(l) and (b)(2)) 

Education Records 

(b) * * * 

(5) Records created or received by an 
educational agency or institution after 
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an individual is no longer a student in 
attendance and that are not directly 
related to the individual's attendance as 
a student. 

(6) Grades on peer-graded papers 
before they are collected and recorded 
by a teacher. 

Personally Identifiable Information 

The term includes, but is not limited 
to— 

(a) The student's name; 

(b) The name of the student's parent 
or other fami ly members; 

(c) The address of the student or 
student's family; 

(d) A personal identifier, such as the 
student's social security number, 
student number, or biometric record; 

(e) Other indirect identifiers, such as 
the student's date of bi rth, place of 
birth, and mother's maiden name; 

(f) Other information that, alone or in 
combination, is linked or linkable to a 
specific student that would allow a 
reasonable person in the school 
community, who does not have personal 
knowledge of the rel evant 
circumstances, to identify the student 
with reasonable certainty; or 

(g) Information requested by a person 
who the educational agency or 
institution reasonably believes knows 
the i dentity of the student to whom the 
education record relates. 

(Authority: 20 U.S.C. 1232g) 

■ 4. Section 99.5 is amended by 
redesignating paragraph (a) as paragraph 
(a)(1) and adding a new paragraph (a)(2) 
to read as fol I ows: 

§ 99.5 What are the rights of students? 

(a)(1)* * * 

(2) Nothing in this section prevents an 
educational agency or institution from 
disclosing education records, or 
personally identifiable information from 
education records, to a parent without 
the prior written consent of an eligible 
student if the disclosure meets the 
conditions in § 99.31(a)(8), 

§ 99.31(a)(10), § 99.31(a)(15), or any 
other provision in § 99.31(a). 

■ 5. Section 99.31 is amended by: 

■ A. Redesignating paragraph (a)(1) as 
paragraph (a)(l)(i)(A) and adding new 
paragraphs (a)(l)(i)(B) and (a)(l)(ii). 

■ B. Revising paragraph (a)(2). 

■ C. Redesignating paragraphs (a)(6)(iii) 
and (a)(6)(iv) as paragraphs (a)(6)(iv) 
and (a)(6)(v), respectively. 

■ D. Revising paragraph (a)(6)(H). 

■ E.Addinganew paragraph (a)(6)(iii). 

■ F. In paragraph (a)(9)(ii)(A), removing 
the word "or” after the punctuation 



■ G. In paragraph (a)(9)(ii)(B), removing 
the punctuation and adding in its 
pi ace the word ";or". 

■ H. Adding paragraph (a)(9)(ii)(C). 

■ I . Addi ng paragraph (a)(16). 

■ J. Revising paragraph (b). 

■ K. Adding paragraphs(c) and (d). 

■ L. Revising the authority citation at 
the end of the section. 

The additions and revisions read as 
fol I ows: 

§99.31 Under what conditions is prior 
consent not required to disclose 
information? 

(a)* * * 

(l)(i)(A) * * * 

(B) A contractor, consultant, 
vol unteer, or other party to whom an 
agency or institution has outsourced 
institutional services or functions may 
be considered a school official under 
this paragraph provided that the outside 
party— 

(1) Performs an institutional service or 
function for which the agency or 
institution would otherwise use 
employees; 

(2) Is under the direct control of the 
agency or institution with respect to the 
use and maintenance of education 
records; and 

(3) Is subject to the requirements of 
§ 99.33(a) governing the use and 
redisclosure of personally identifiable 
information from education records. 

(ii) An educational agency or 
institution must use reasonable methods 
to ensure that school officials obtai n 
access to only those education records 
in which they have legitimate 
educational interests. An educational 
agency or institution that does not use 
physical or technological access 
controls must ensure that its 
ad mi n i strati ve pol i cy for control I i ng 
access to educati on records i s effecti ve 
and that itremains in compliance with 
the legitimate educational interest 
requirement in paragraph (a)(l)(i)(A) of 
this section. 

(2) The disclosure is, subject to the 
requirements of § 99.34, to officials of 
another school, school system, or 
institution of postsecondary education 
where the student seeks or i ntends to 
enroll, or where the student is already 
enrolled so long as the disclosure is for 
purposes related to the student's 
enrol I ment or transfer. 

Note: Section 4155(b) oftheNoChild Left 
Behind Act of 2001, 20 U.S.C. 7165(b), 
requires each State to assure the Secretary of 
Education that it has a procedure in place to 
facilitate the transfer of disciplinary records 
with respect to a suspension or expulsion of 
a student by a local educational agency to 
any private or public elementary or 
secondary school in which the student is 
subsequently enrolled or seeks, intends, or is 
instructed to enroll. 



(6)(i) * * * 

(ii) An educational agency or 
institution may disclose information 
under paragraph (a)(6)(i) of this section 
only if— 

(A) The study is conducted in a 
manner that does not permit personal 
identification of parents and students by 
individuals other than representatives of 
the organization that have legitimate 
interests in the information; 

(B) The information isdestroyed 
when no longer needed for the purposes 
for which the study was conducted; and 

(C) The educational agency or 
institution enters into a written 
agreement with the organization that— 

(1) Specifies the purpose, scope, and 
duration of the study or studies and the 
information to be disclosed; 

(2) Requires the organization to use 
personally identifiable information from 
education records only to meet the 
purpose or purposes of the study as 
stated in the written agreement; 

(3) Requires the organization to 
conduct the study i n a manner that does 
not permit personal identification of 
parents and students, as defined in this 
part, by anyone other than 
representatives of the organization with 
legitimate interests; 

and 

(4) Requires the organization to 
destroy or return to the educational 
agency or institution all personally 
identifiable information when the 
information is no longer needed for the 
purposes for which the study was 
conducted and specifies the time period 
in which the information must be 
returned or destroyed. 

(iii) An educational agency or 
institution is not required to initiatea 
study or agree with or endorse the 
conclusions or results of the study. 

(g) * * * 

(j j 'j * * * 

(C) An ex parte court order obtained 
by the U nited States Attorney General 
(or designee not lower than an Assistant 
Attorney General) concerning 
investigations or prosecutions of an 
offense listed in 18 U.S.C. 2332b(g)(5)(B) 
or an act of domesti c or i nternati onal 
terrorism as defined in 18 U.S.C. 2331. 

(16) The di scl osu re concerns sex 
offenders and other individuals required 
to register under section 170101 of the 
Violent Crime Control and Law 
Enforcement Act of 1994, 42 U .S.C. 
14071, and the information was 
provided to the educational agency or 
institution under 42 U.S.C. 14071 and 
applicable Federal guidelines. 

(b)(1) De-identified records and 
information. An educational agency or 
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institution, or a party that has received 
education records or information from 
education records under this part, may 
rel ease the records or i nformati on 
without the consent required by §99.30 
after the removal of al I personal I y 
identifiable information provided that 
the educational agency or institution or 
other party has made a reasonable 
determination that a student's identity 
is not personally identifiable, whether 
through singleor multiple releases, and 
taking into account other reasonably 
avai I abl e i nformati on . 

(2) An educational agency or 
institution, or a party that has received 
education records or information from 
education records under this part, may 
release de-identified student level data 
from education records for the purpose 
of education research by attaching a 
code to each record that may al low the 
recipient to match information received 
from the same source, provided that— 

(i) An educational agency or 
institution or other party that releases 
de-identified data under paragraph 

(b)(2) of this section does not disclose 
any information about how it generates 
and assigns a record code, or that would 
allow a recipientto identify a student 
based on a record code; 

(ii) The record code is used for no 
purpose other than identifying a de- 
identified record for purposes of 
education research and cannot be used 
to ascertain personally identifiable 
information about a student; and 

(i i i ) The record code i s not based on 
a student's social security number or 
other personal information. 

(c) An educational agency or 
institution must use reasonable methods 
to identify and authenticate the identity 
of parents, students, school officials, 
and any other parties to whom the 
agency or institution discloses 
personally identifiable information from 
education records. 

(d) Paragraphs (a) and (b) of this 
section do not require an educational 
agency or institution or any other party 
to disclose education records or 
information from education records to 
any party. 

(Authority: 20 U.S.C. 1232g(a)(5)(A), (b), (h), 
(i), and (j)). 

■ 6. Section 99.32 is amended by: 

■ A. Revising paragraph (a)(1). 

■ B. Adding new paragraphs (a)(4) and 

(a) (5). 

■ C. Redesignating paragraphs (b)(1) and 

(b) (2) as paragraphs (b)(l)(i) and 
(b)(l)(ii) and redesignating paragraph 
(b), introductory text, as paragraph 
(b)(1). 

■ D. Revising newly redesignated 
paragraph (b)(1). 



■ E. Addinga new paragraph (b)(2). 

■ F. Revising paragraph (d)(5). 

The additions and revisions read as 
fol I ows: 

§99.32 What recordkeeping requirements 
exist concerning requests and disclosures? 

(a) (1) An educational agency or 
institution must maintain a record of 
each request for access to and each 
disclosure of personally identifiable 
information from the education records 
of each student, as wel I as the names of 
State and local educational authorities 
and Federal official sand agencies listed 
in § 99.31(a)(3) that may make further 
disclosures of personally identifiable 

i nformati on from the student's 
education records without consent 
under § 99.33(b). 

(4) An educational agency or 
institution must obtain a copy of the 
record of further disclosures maintained 
under paragraph (b)(2) of this section 
and make it available in response to a 
parent's or eligi ble student's request to 
review the record required under 
paragraph (a)(1) of this section. 

(5) An educational agency or 
institution must record the following 
information when it discloses 
personally identifiable information from 
education records under the health or 
safety emergency exception in 

§ 99.31(a)(10) and § 99.36: 

(1) The articulable and significant 
threat to the health or safety of a student 
or other individuals that formed the 
basis for the disclosure; and 

(ii) The parties to whom the agency or 
institution disclosed the information. 

(b) (1) Except as provided in paragraph 
(b)(2) of this section, if an educational 
agency or institution discloses 
personally identifiable information from 
education records with the 
understanding authorized under 

§ 99.33(b), the record of the disclosure 
required under this section must 
include: 

(2) (i) A State or local educational 
authority or Federal official or agency 
listed in § 99.31(a)(3) that makes further 
disclosures of information from 
education records under § 99.33(b) must 
record the names of the additional 
parties to which it discloses information 
on behalf of an educational agency or 
institution and their legitimate interests 
in the information under § 99.31 if the 
information was received from: 

(A) An educational agency or 
institution that has not recorded the 
further disclosures under paragraph 
(b)(1) of this section; or 



(B) Another State or local educational 
authority or Federal official or agency 
listed in § 99.31(a)(3). 

(ii) A State or local educational 
authority or Federal official or agency 
that records further disclosures of 
information under paragraph (b)(2)(i) of 
this section may maintain the record by 
the student's class, school, district, or 
other appropri ate groupi ng rather than 
by the name of the student. 

(iii) Upon request of an educational 
agency or institution, a State or local 
educational authority or Federal official 
or agency listed in § 99.31(a)(3) that 
mai ntai ns a record of further disclosures 
under paragraph (b)(2)(i) of this section 
must provide a copy of the record of 
further disclosures to the educational 
agency or institution within a 
reasonable period of time not to exceed 
30 days. 

(d) * * * 

(5) A party seeking or receiving 
records in accordance with 
§99.31(a)(9)(ii)(A) through (C). 

■ 7. Section 99.33 is amended by 
revising paragraphs (b), (c), (d), and (e) 
to read as fol I ows: 

§ 99.33 What limitations apply to the 
redisclosure of Information? 

(b) (1) Paragraph (a) of this section 
does not prevent an educational agency 
or institution from disclosing personally 
identifiable information with the 
understanding that the party receiving 
the information may make further 
disclosures of the information on behalf 
of the educational agency or institution 
if— 

(1) The disclosures meet the 
requi rements of § 99.31; and 

(ii)(A) The educational agency or 
institution has complied with the 
requi rements of § 99.32(b); or 

(B) A State or local educational 
authority or Federal official or agency 
listed in § 99.31(a)(3) has complied with 
the requi rements of § 99.32(b)(2). 

(2) A party that receives a court order 
or lawfully issued subpoena and 
rediscloses personally identifiable 
information from education records on 
behalf of an educational agency or 
institution in response to that order or 
subpoena under § 99.31(a)(9) must 
provide the notification required under 
§ 99.31(a)(9)(ii). 

(c) Paragraph (a) of this section does 
not apply to disclosures under 

§§ 99.31(a)(8), (9), (11), (12), (14), (15), 
and (16), and to information that 
postsecondary institutions are required 
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to disclose under theJeanneClery 
Disclosure of Campus Security Policy 
and Campus Crime Statistics Act, 20 
U.S.C. 1092(f) (Clery Act), to the accuser 
and accused regarding the outcome of 
any campus disciplinary proceeding 
brought al legi ng a sexual offense. 

(d) An educational agency or 
institution must inform a party to whom 
disclosure is made of the requirements 
of paragraph (a) of this section except 
for disclosures made under 

§§ 99.31(a)(8), (9), (11), (12), (14), (15), 
and (16), and to information that 
postsecondary institutions are required 
to disclose under the Clery Act to the 
accuser and accused regarding the 
outcome of any campus disci pi inary 
proceeding brought alleging a sexual 
offense. 

(e) If this Office determines that a 
third party outside the educational 
agency or institution improperly 
rediscloses personally identifiable 
information from education records in 
violation of this section, or fails to 
provide the notification required under 
paragraph (b)(2) of this section, the 
educational agency or institution may 
not al I ow that th i rd party access to 
personally identifiable information from 
education recordsfor at I east five years. 

■ 8. Section 99.34 is amended by 
revising paragraph (a)(l)(ii) to read as 
follows: 

§ 99.34 What conditions apply to 
disclosure of information to other 
educational agencies and institutions? 

(a)* * * 

* * 

(ii) The annual notification of the 
agency or institution under § 99.7 
i ncl udes a noti ce that the agency or 
institution forwards education records 
to other agencies or institutions that 
have requested the records and in which 
the student seeks or i ntends to enrol I or 
is already enrolled so long as the 
disclosure is for purposes related to the 
student's enrol I ment or transfer; 

■ 9. Section 99.35 is amended by 
revising paragraphs (a) and (b)(1) to read 
as fol I ows: 

§ 99.35 What conditions apply to 
disclosure of information for Federal or 
State program purposes? 

(a)(1) Authorized representatives of 
the officials or agencies headed by 
officials listed in § 99.31(a)(3) may have 
access to education records in 
connection with an audit or evaluation 
of Federal or State supported education 
programs, or for the enforcement of or 
compliance with Federal legal 



requ i rements that rel ate to those 
programs. 

(2) Authority for an agency or official 
listed in § 99.31(a)(3) to conduct an 
audit, evaluation, or compliance or 
enforcement activity is not conferred by 
the Act or this part and must be 
established under other Federal, State, 
or local authority. 

(b) * * * 

(1) Be protected in a manner that does 
not permit personal identification of 
individuals by anyone other than the 
officials or agencies headed by officials 
referred to in paragraph (a) of this 
section, except that those officials and 
agencies may make further disclosures 
of personally identifiable information 
from education records on behalf of the 
educational agency or institution in 
accordance with the requi rements of 
§ 99.33(b); and 

■ 10. Section 99.36 is amended by 
revising paragraphs (a) and (c) to read as 
follows: 

§ 99.36 What conditions apply to 
disclosure of information in health and 
safety emergencies? 

(a) An educational agency or 
institution may disclose personally 
identifiable information from an 
education record to appropriate parties, 
including parents of an eligible student, 
in connection with an emergency if 
knowledge of the information is 
necessary to protect the health or safety 
of the student or other individuals. 

(c) In making a determination under 
paragraph (a) of this section, an 
educational agency or institution may 
take i nto account the total ity of the 

ci rcumstances pertai ni ng to a threat to 
the health or safety of a student or other 
individuals. If the educational agency or 
i nsti tuti on determi nes that there i s an 
arti cu I abl e and si gn i f i cant threat to the 
health or safety of a student or other 
i nd i vi d ual s, it may d i scl ose i nformati on 
from education records to any person 
whose knowledge of the information is 
necessary to protect the health or safety 
of the student or other individuals. If, 
based on the information avail abl eat 
the time of the determi nation, there is 
a rational basisfor the determination, 
the Department wi 1 1 not substitute its 
judgment for that of the educational 
agency or institution in evaluating the 
circumstances and making its 
determination. 

■ 11. Section 99.37 is amended by: 

■ A. Revising paragraph (b). 

■ B. Adding new paragraphs(c) and (d). 

The revision and additions read as 

fol I ows: 



§ 99.37 What conditions apply to 
disclosing directory information? 

(b) An educational agency or 
institution may disci ose directory 
information about former students 
without complying with the notice and 
opt out conditions in paragraph (a) of 
this section. Flow ever, the agency or 
institution must continue to honor any 
valid request to opt out of the disclosure 
of directory information madewhilea 
student was in attendance unless the 
student resci nds the opt out request. 

(c) A parent or eligible student may 
not use the right under paragraph (a)(2) 
of th i s secti on to opt out of d i rectory 
information disclosures to prevent an 
educational agency or institution from 
disclosing or requiring a student to 
disclose the student's name, identifier, 
or institutional e-mail address in a class 
in which the student isenrolled. 

(d) An educational agency or 
institution may not disclose or confirm 
directory information without meeting 
the written consent requirements in 

§ 99.30 if a student's social security 
number or other non-directory 
information is used alone or combined 
with other data elements to identify or 
help identify the student or the 
student's records. 

■ 12. Section 99.62 is revised to read as 
follows: 

§99.62 What information must an 
educational agency or institution submit to 
the Office? 

The Office may requi re an educational 
agency or institution to submit reports, 
information on policies and procedures, 
annual notifications, training materials, 
and other information necessary to carry 
out its enforcement responsibilities 
under the Act or this part. 

(Authority: 20 U.S.C. 1232g(f) and (g)) 

§99.63 [Amended] 

■ 13. Section 99.63 is amended by 
removi ng the mai I code designation 
"4605'' before the punctuation 

■ 14. Section 99.64 is amended by: 

■ A. Revising the secti on heading. 

■ B. Revising paragraphs (a) and (b). 

The revisions read as fol lows: 

§ 99.64 What is the investigation 
procedure? 

(a) A complaint must contain specific 
allegations of fact givi ng reasonable 
cause to believe that a violation of the 
Act or this part has occurred. A 
complaint does not have to allege that 
a vi ol ati on is based on a pol i cy or 
practice of the educational agency or 
institution. 
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(b) The Office investigates a timely 
complaint filed by a parent or eligible 
student, or conducts its own 
investigation when no complaint has 
been filed or a complaint has been 
withdrawn, to determine whether an 
educational agency or institution has 
failed to comply with a provision of the 
Act or this part. If the Office determines 
that an educational agency or institution 
has failed to comply with a provision of 
the Act or this part, it may also 
determine whether the failure to comply 
is based on a pol icy or practice of the 
agency or institution. 

■ 15. Section 99.65 is revised to read as 
follows: 

§ 99.65 What is the content of the notice of 
investigation issued by the Office? 

(a) The Office notifies the 
complainant, if any, and the educational 
agency or institution in writing if it 
initiates an investigation under 
§ 99.64(b). The notice to the educational 
agency or institution— 

(1) Includes the substance of the 
al I egati ons agai nst the educati onal 
agency or institution; and 



(2) Directs the agency or institution to 
submit a written response and other 
rel evant i nformati on, as set forth i n 
§99.62, within a specified period of 
time, including information about its 
policies and practices regarding 
education records. 

(b) The Office notifies the 
complainant if it does not initiate an 
investigation because the complaint 
fai I s to meet the requ i rements of § 99.64. 

(Authority: 20U.S.C. 1232g(g)) 

■ 16. Section 99.66 is amended by 
revising paragraphs (a), (b), and the 
introductory text of paragraph (c) to 
read as fol I ows: 

§ 99.66 What are the responsibilities of the 
Office in the enforcement process? 

(a) The Office reviews a complaint, if 
any, information submitted by the 
educational agency or institution, and 
any other relevant information. The 
Off i ce may perm i t th e parti es to su bm i t 
further written or oral arguments or 
information. 

(b) Following its investigation, the 
Office provides to the complainant, if 
any, and the educational agency or 
institution a written notice of its 
findings and the basis for its findings. 



(c) If the Office finds that an 
educational agency or institution has 
not complied with a provision of the 
Act or this part, it may also find that the 
fai lure to comply was based on a policy 
or practice of the agency or institution. 

A notice of findings issued under 
paragraph (b) of this section to an 
educational agency or institution that 
has not complied with a provision of the 
Act or this part— 

■ 17. Section 99.67 is amended by 
revising paragraph (a) to read as fol I ows: 

§ 99.67 How does the Secretary enforce 
decisions? 

(a) If an educational agency or 
institution does not comply during the 
period of time set under § 99.66(c), the 
Secretary may take any legally available 
enforcement action in accordance with 
the Act, including, but not limited to, 
the fol I owing enforcement actions 
available in accordance with partE of 
the General Education Provisions Act— 
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